Loading ...

Play interactive tourEdit tour

Windows Analysis Report pj31M24DLn

Overview

General Information

Sample Name:pj31M24DLn (renamed file extension from none to exe)
Analysis ID:469482
MD5:5e02008227eca0fcf1fe8aeeb4c98e19
SHA1:ca95c35826e62009dbeb985b6b59e3b4f53e9abb
SHA256:91dd3fa11964f4432bb43ee5f63580d53ba35dfdcfd5d8ec1b0e00f3f7b20258
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

Phoenix Miner Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AntiVM3
Antivirus detection for dropped file
Yara detected Phoenix Miner
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (window names)
Found strings related to Crypto-Mining
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
PE file contains section with special chars
Hides threads from debuggers
Machine Learning detection for dropped file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Too many similar processes found
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to download and execute PE files
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains capabilities to detect virtual machines
Uses taskkill to terminate processes
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • pj31M24DLn.exe (PID: 6304 cmdline: 'C:\Users\user\Desktop\pj31M24DLn.exe' MD5: 5E02008227ECA0FCF1FE8AEEB4C98E19)
    • pj31M24DLn.exe (PID: 6580 cmdline: C:\Users\user\Desktop\pj31M24DLn.exe MD5: 5E02008227ECA0FCF1FE8AEEB4C98E19)
      • conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Database.exe (PID: 6928 cmdline: -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth MD5: 20CF7F09F5C2F25A71F8BB091F4EEC9A)
      • Datahub.exe (PID: 7136 cmdline: NULL MD5: 4C03F40035BF018553157080F1B02671)
      • cmd.exe (PID: 1000 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 2316 cmdline: taskkill /IM Database.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 2540 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 6164 cmdline: taskkill /IM Datahub.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
          • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • taskkill.exe (PID: 6924 cmdline: taskkill /IM MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 4948 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4460 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6480 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 6528 cmdline: taskkill /IM Database.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 6316 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6384 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 3552 cmdline: taskkill /IM MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 5436 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Database.exe (PID: 3880 cmdline: -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth MD5: 20CF7F09F5C2F25A71F8BB091F4EEC9A)
      • cmd.exe (PID: 5636 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 1276 cmdline: taskkill /IM Database.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 372 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 3204 cmdline: taskkill /IM Datahub.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 1884 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2600 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6164 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • cmd.exe (PID: 6276 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2252 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 6708 cmdline: taskkill /IM MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 5628 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Database.exe (PID: 6012 cmdline: -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth MD5: 20CF7F09F5C2F25A71F8BB091F4EEC9A)
      • cmd.exe (PID: 6024 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 6156 cmdline: taskkill /IM Database.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 6044 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6956 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 340 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • System.exe (PID: 6940 cmdline: 'C:\ProgramData\Microsoft Network\System.exe' MD5: 5E02008227ECA0FCF1FE8AEEB4C98E19)
    • System.exe (PID: 6524 cmdline: C:\ProgramData\Microsoft Network\System.exe MD5: 5E02008227ECA0FCF1FE8AEEB4C98E19)
    • System.exe (PID: 6388 cmdline: C:\ProgramData\Microsoft Network\System.exe MD5: 5E02008227ECA0FCF1FE8AEEB4C98E19)
    • System.exe (PID: 4756 cmdline: C:\ProgramData\Microsoft Network\System.exe MD5: 5E02008227ECA0FCF1FE8AEEB4C98E19)
    • System.exe (PID: 1012 cmdline: C:\ProgramData\Microsoft Network\System.exe MD5: 5E02008227ECA0FCF1FE8AEEB4C98E19)
      • conhost.exe (PID: 3696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Datahub.exe (PID: 1112 cmdline: NULL MD5: 4C03F40035BF018553157080F1B02671)
      • cmd.exe (PID: 1236 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 6840 cmdline: taskkill /IM Database.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 6764 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 992 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 716 cmdline: taskkill /IM Datahub.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 4036 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Datahub.exe (PID: 6016 cmdline: NULL MD5: 4C03F40035BF018553157080F1B02671)
      • cmd.exe (PID: 6020 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM Database.exe /F && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 6064 cmdline: taskkill /IM Database.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 6040 cmdline: 'C:\Windows\System32\cmd.exe' /K taskkill /IM Datahub.exe /F && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 5064 cmdline: taskkill /IM Datahub.exe /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 5504 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Data\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6844 cmdline: 'C:\Windows\System32\cmd.exe' /K del /S /Q C:\ProgramData\Systemd\* && exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Systemd\Datahub.exeJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000002A.00000003.437528742.00000000018E7000.00000004.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000002A.00000003.465261330.0000000001938000.00000004.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        0000002A.00000003.465421064.000000000192C000.00000004.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000008.00000003.283579328.0000014CD6E73000.00000004.00000001.sdmpJoeSecurity_PhoenixMinerYara detected Phoenix MinerJoe Security
            0000002A.00000003.383736027.00000000018E7000.00000004.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              Click to see the 58 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              9.2.System.exe.29b2f54.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                1.2.pj31M24DLn.exe.3002f38.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  12.0.Datahub.exe.400000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
                  • 0x5a9be8:$x1: donate.ssl.xmrig.com
                  • 0x5aa0b9:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
                  • 0x63b613:$s2: \\?\pipe\uv\%p-%lu
                  12.0.Datahub.exe.400000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                    12.2.Datahub.exe.400000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
                    • 0x5a9be8:$x1: donate.ssl.xmrig.com
                    • 0x5aa0b9:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
                    • 0x63b613:$s2: \\?\pipe\uv\%p-%lu
                    Click to see the 1 entries

                    Sigma Overview

                    Bitcoin Miner:

                    barindex
                    Sigma detected: XmrigShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth, CommandLine: -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth, CommandLine|base64offset|contains: , Image: C:\ProgramData\Data\Database.exe, NewProcessName: C:\ProgramData\Data\Database.exe, OriginalFileName: C:\ProgramData\Data\Database.exe, ParentCommandLine: C:\Users\user\Desktop\pj31M24DLn.exe, ParentImage: C:\Users\user\Desktop\pj31M24DLn.exe, ParentProcessId: 6580, ProcessCommandLine: -epool eth.2miners.com:2020 -ewal 0x1bc6d72712986fDF33860e1e1B55C11000901350 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -coin eth, ProcessId: 6928

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for dropped fileShow sources
                    Source: C:\ProgramData\Data\Database.exeAvira: detection malicious, Label: HEUR/AGEN.1141501
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: pj31M24DLn.exeVirustotal: Detection: 35%Perma Link
                    Source: pj31M24DLn.exeReversingLabs: Detection: 32%
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\ProgramData\Microsoft Network\System.exeReversingLabs: Detection: 32%
                    Source: C:\ProgramData\Systemd\Datahub.exeReversingLabs: Detection: 51%
                    Source: C:\ProgramData\Systemd\old.exe (copy)ReversingLabs: Detection: 51%
                    Machine Learning detection for sampleShow sources
                    Source: pj31M24DLn.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\ProgramData\Systemd\Datahub.exeJoe Sandbox ML: detected
                    Source: C:\ProgramData\Microsoft Network\System.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\pj31M24DLn.exeCode function: 5_2_0041AD90 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptGenerateSymmetricKey,5_2_0041AD90
                    Source: C:\Users\user\Desktop\pj31M24DLn.exeCode function: 5_2_0041B0E0 BCryptOpenAlgorithmProvider,BCryptDeriveKeyPBKDF2,BCryptCloseAlgorithmProvider,5_2_0041B0E0
                    Source: C:\Users\user\Desktop\pj31M24DLn.exeCode function: 5_2_0041B0B0 BCryptFinishHash,5_2_0041B0B0
                    Source: C:\Users\user\Desktop\pj31M24DLn.exeCode function: 5_2_0041B150 BCryptGenRandom,5_2_0041B150
                    Source: C:\Users\user\Desktop\pj31M24DLn.exeCode function: 5_2_0041AD50 BCryptDestroyKey,BCryptCloseAlgorithmProvider,5_2_0041AD50
                    Source: C:\Users\user\Desktop\pj31M24DLn.exeCode function: 5_2_0041AD20 BCryptEncrypt,5_2_0041AD20
                    Source: C:\Users\user\Desktop\pj31M24DLn.exeCode function: 5_2_0041AEF0 BCryptDestroyHash,BCryptCloseAlgorithmProvider,5_2_0041AEF0
                    Source: C:\Users\user\Desktop\pj31M24DLn.exeCode function: 5_2_0041AEB0 BCryptHashData,5_2_0041AEB0
                    Source: C:\Users\user\Desktop\pj31M24DLn.exeCode function: 5_2_0041AF40 BCryptOpenAlgorithmProvider,BCryptDestroyHash,BCryptCloseAlgorithmProvider,BCryptGetProperty,BCryptGetProperty,BCryptCreateHash,5_2_0041AF40
                    Source: C:\ProgramData\Microsoft Network\System.exeCode function: 42_2_0041B0E0 BCryptOpenAlgorithmProvider,BCryptDeriveKeyPBKDF2,BCryptCloseAlgorithmProvider,42_2_0041B0E0
                    Source: C:\ProgramData\Microsoft Network\System.exeCode function: 42_2_0041B0B0 BCryptFinishHash,42_2_0041B0B0
                    Source: C:\ProgramData\Microsoft Network\System.exeCode function: 42_2_0041B150 BCryptGenRandom,42_2_0041B150
                    Source: C:\ProgramData\Microsoft Network\System.exeCode function: 42_2_0041AD50 BCryptDestroyKey,BCryptCloseAlgorithmProvider,42_2_0041AD50
                    Source: C:\ProgramData\Microsoft Network\System.exeCode function: 42_2_0041AD20 BCryptEncrypt,42_2_0041AD20
                    Source: C:\ProgramData\Microsoft Network\System.exeCode function: 42_2_0041AD90 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptGenerateSymmetricKey,42_2_0041AD90
                    Source: C:\ProgramData\Microsoft Network\System.exeCode function: 42_2_0041AEF0 BCryptDestroyHash,BCryptCloseAlgorithmProvider,42_2_0041AEF0
                    Source: C:\ProgramData\Microsoft Network\System.exeCode function: 42_2_0041AEB0 BCryptHashData,42_2_0041AEB0
                    Source: C:\ProgramData\Microsoft Network\System.exeCode function: 42_2_0041AF40 BCryptOpenAlgorithmProvider,BCryptDestroyHash,BCryptCloseAlgorithmProvider,BCryptGetProperty,BCryptGetProperty,BCryptCreateHash,42_2_0041AF40

                    Bitcoin Miner:

                    barindex
                    Yara detected Phoenix MinerShow sources
                    Source: Yara matchFile source: 00000008.00000003.283579328.0000014CD6E73000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000004D.00000003.356027445.000001C954DC5000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.283842107.0000014CD6E69000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.283811817.0000014CD6E69000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000003.283765357.0000014CD6E69000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000004D.00000002.356735670.000001C954DC5000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.284163364.0000014CD6E6D000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.284116824.0000014CD6E37000.00000004.00000020.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000004D.00000003.355915521.000001C954DC5000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Database.exe PID: 6928, type: MEMORYSTR
                    Yara detected Xmrig cryptocurrency minerShow sources
                    Source: Yara matchFile source: 12.0.Datahub.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.Datahub.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000002A.00000003.437528742.00000000018E7000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000003.465261330.0000000001938000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000003.465421064.000000000192C000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000003.383736027.00000000018E7000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.484792621.00000000013B0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.411819516.00000000013BE000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000003.343435775.00000000018A5000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000003.431283436.0000000001929000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.393725666.00000000013C0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.412427558.00000000013BE000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000004E.00000000.353211756.0000000000E04000.00000008.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.372414007.00000000013A7000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.429857116.00000000013AB000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000003.431315418.000000000192E000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.453671282.0000000001400000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000003.383874736.00000000018E7000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000003.448782683.0000000001937000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000003.479728696.0000000001948000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.470837332.0000000001377000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.349652487.0000000001394000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.484245759.0000000001406000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.295411010.0000000000958000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000004E.00000002.357680214.0000000000E04000.00000008.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000000.320822201.0000000000958000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.446937269.0000000001377000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.470593774.00000000013D9000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000003.343399028.000000000189C000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.411711852.0000000001390000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.297772498.0000000000958000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.317187846.0000000001377000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000002.325073145.0000000000E04000.00000008.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.440717906.00000000013AC000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.496915008.0000000001377000.00000004.00000020.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.298674276.0000000000E04000.00000008.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000000.322405849.0000000000E04000.00000008.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000002.324682888.0000000000958000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.445919098.00000000013EF000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.440557165.00000000013AC000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000003.343038623.00000000018AB000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.447150779.00000000013BF000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000004E.00000000.352973330.0000000000958000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.295990788.0000000000E04000.00000008.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000004E.00000002.356898921.0000000000958000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.393985986.000000000138D000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.484465991.00000000013B0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.453800170.0000000001377000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: pj31M24DLn.exe PID: 6580, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Datahub.exe PID: 7136, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: System.exe PID: 1012, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\Systemd\Datahub.exe, type: DROPPED
                    Found strings related to Crypto-MiningShow sources
                    Source: Datahub.exeString found in binary or memory: stratum+ssl://randomx.xmrig.com:443
                    Source: Datahub.exeString found in binary or memory: cryptonight_v7
                    Source: Datahub.exeString found in binary or memory: -o, --url=URL URL of mining server
                    Source: Datahub.exeString found in binary or memory: stratum+tcp://
                    Source: Datahub.exeString found in binary or memory: Usage: xmrig [OPTIONS] Network:
                    Source: pj31M24DLn.exe, 00000005.00000003.484792621.00000000013B0000.00000004.00000001.sdmpString found in binary or memory: FileDescriptionXMRig miner.
                    Source: pj31M24DLn.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49702 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49703 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 52.217.108.52:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49714 version: TLS 1.2
                    Source: pj31M24DLn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: Database.exe, 00000008.00000002.296694327.00007FF67BCBD000.00000040.00020000.sdmp
                    Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: Database.exe, 00000008.00000002.296694327.00007FF67BCBD000.00000040.00020000.sdmp