Windows
Analysis Report
xmrig.exe
Overview
General Information
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
xmrig.exe (PID: 7316 cmdline:
C:\Users\u ser\Deskto p\xmrig.ex e MD5: 4813FA6D610E180B097EAE0CE636D2AA) conhost.exe (PID: 7356 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 86191D9E0E30631DB3E78E4645804358)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
Linux_Trojan_Pornoasset_927f314f | unknown | unknown |
| |
MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth |
| |
MALWARE_Win_CoinMiner02 | Detects coinmining malware | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
Click to see the 7 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
Linux_Trojan_Pornoasset_927f314f | unknown | unknown |
| |
MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth |
| |
MALWARE_Win_CoinMiner02 | Detects coinmining malware | ditekSHen |
| |
Click to see the 5 entries |
- • AV Detection
- • Bitcoin Miner
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Anti Debugging
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Bitcoin Miner |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Mutant created: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Last function: |
Source: | System information queried: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 2 Command and Scripting Interpreter | Path Interception | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
78% | ReversingLabs | Win64.Trojan.Minerva | ||
100% | Avira | TR/YAV.Minerva.qosyp | ||
77% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Joe Sandbox Version: | 38.0.0 Beryl |
Analysis ID: | 1315785 |
Start date and time: | 2023-09-28 12:55:13 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 2m 39s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10, Office Professional Plus 2016, Chrome 115, Firefox 115, Adobe Reader 23, Java 8 Update 381 |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | xmrig.exe |
Detection: | MAL |
Classification: | mal80.mine.winEXE@2/1@0/0 |
EGA Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe - Execution Graph export aborted
for target xmrig.exe, PID 731 6 because it is empty - Not all processes where analyz
ed, report is missing behavior information
Process: | C:\Users\user\Desktop\xmrig.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 321 |
Entropy (8bit): | 5.234772167479006 |
Encrypted: | false |
SSDEEP: | 6:o9WCnCRRRG25zZvtrhCRM5zZvtrT4xTCRJ4FzZvtrT4Mpg6QIR/BJrXMnGTJzey:o0CnarhtrT4pRxrT4SRJJTMGgy |
MD5: | DF1958A8AA1825D42A88B050268056AC |
SHA1: | 838975AF87B2F77844866F35B7B8CD521DBEEBC6 |
SHA-256: | 96378E92A446739C1F99E466A485DDF17A1CE50EBA592CB1A3746202C84B73F4 |
SHA-512: | E5A6DAC2A61304187850F589CF35DCF161D681A5DEAAAE47C4AF7A1D0341F8DC18A47513F2C6CACA49BC50BA7947D170D73767A8675D2B480CE53C64D141B1E0 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.631241366168512 |
TrID: |
|
File name: | xmrig.exe |
File size: | 8'251'392 bytes |
MD5: | 4813fa6d610e180b097eae0ce636d2aa |
SHA1: | 1e9cd17ea32af1337dd9a664431c809dd8a64d76 |
SHA256: | 9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc |
SHA512: | 5463e61b9583dd7e73fc4c0f14252ce06bb1b24637fdf5c4b96b3452cf486b147c980e365ca6633d89e7cfe245131f528a7ecab2340251cef11cdeb49dac36aa |
SSDEEP: | 98304:ZLsUYfB9pOp/BWLbrkShfa+XQD/YPLTDtU5SXXMQHJw7ZB87TtIeUK+MzfL7cybS:Kgp/NQ7rfWOlb1paSbkJFsxfKLNIS |
TLSH: | A8866C17F19350ECC56BC170861BA673F671F8691234BE6F2764DB342E22F905A2EB24 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....c.d...............&.._...}...2............@.............................0......L|~...`... ............................ |
Icon Hash: | 0f3774c95856230f |
Entrypoint: | 0x1400014d0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x64A263DB [Mon Jul 3 05:59:55 2023 UTC] |
TLS Callbacks: | 0x4041d060, 0x1, 0x4041d030, 0x1, 0x404302c0, 0x1 |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 16bb67d62ee484974f9392fc52c45722 |
Instruction |
---|
dec eax |
sub esp, 28h |
dec eax |
mov eax, dword ptr [00743265h] |
mov dword ptr [eax], 00000000h |
call 00007F845D34211Fh |
nop |
nop |
dec eax |
add esp, 28h |
ret |
nop dword ptr [eax] |
dec eax |
sub esp, 28h |
call 00007F845D76E51Ch |
dec eax |
cmp eax, 01h |
sbb eax, eax |
dec eax |
add esp, 28h |
ret |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
dec eax |
lea ecx, dword ptr [00000009h] |
jmp 00007F845D342459h |
nop dword ptr [eax+00h] |
ret |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
inc ecx |
push ebp |
inc ecx |
push esp |
push ebp |
push edi |
push esi |
push ebx |
dec eax |
sub esp, 28h |
inc ecx |
mov eax, dword ptr [eax] |
dec ecx |
cmp dword ptr [ecx+18h], 00000000h |
dec esp |
mov ebp, dword ptr [esp+00000080h] |
dec eax |
mov ebp, dword ptr [esp+00000090h] |
mov dword ptr [ecx], eax |
inc ecx |
mov eax, dword ptr [ecx+04h] |
dec eax |
mov ebx, ecx |
dec esp |
mov esi, ecx |
setne byte ptr [ecx+08h] |
dec ecx |
mov esp, edx |
dec esp |
mov edi, eax |
mov dword ptr [ecx+04h], eax |
dec esp |
mov ecx, ecx |
call 00007F845D3CA9F0h |
dec esp |
mov dword ptr [ebx+18h], esp |
mov byte ptr [ebx+09h], al |
movzx eax, byte ptr [esi+0Bh] |
mov byte ptr [ebx+0Ah], al |
mov eax, dword ptr [esi+10h] |
mov dword ptr [ebx+0Ch], eax |
dec ecx |
mov eax, dword ptr [ebp+00h] |
dec eax |
mov dword ptr [ebx+10h], eax |
dec eax |
mov eax, dword ptr [esp+00000088h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xaed000 | 0x46d8 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xaf4000 | 0x5ce8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x761000 | 0x2ee9c | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xafa000 | 0x8e6c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x741960 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xaee01c | 0xf40 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5f0aa0 | 0x5f1000 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x5f2000 | 0x10460 | 0x10600 | False | 0.20272244751908397 | data | 3.295673930644331 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x603000 | 0x15dce0 | 0x15de00 | False | 0.3762720781975706 | data | 6.453643246818058 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.pdata | 0x761000 | 0x2ee9c | 0x2f000 | False | 0.5192039976728723 | data | 6.366354446992787 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.xdata | 0x790000 | 0x3b914 | 0x3ba00 | False | 0.22357344077568134 | data | 5.059190391956642 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.bss | 0x7cc000 | 0x320ae0 | 0x0 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xaed000 | 0x46d8 | 0x4800 | False | 0.2824978298611111 | data | 4.800961618809213 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.CRT | 0xaf2000 | 0x68 | 0x200 | False | 0.078125 | data | 0.40665232183492983 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0xaf3000 | 0x10 | 0x200 | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xaf4000 | 0x5ce8 | 0x5ce8 | False | 0.3824840228725193 | data | 5.536267098733225 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0xafa000 | 0x8e6c | 0x9000 | False | 0.2554524739583333 | data | 5.451438735644192 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xaf41c0 | 0x18fb | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.965598123534011 |
RT_ICON | 0xaf5ac0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.1004149377593361 |
RT_ICON | 0xaf8068 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.1472795497185741 |
RT_ICON | 0xaf9110 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.3076241134751773 |
RT_GROUP_ICON | 0xaf9578 | 0x3e | data | English | United States | 0.8064516129032258 |
RT_VERSION | 0xaf95b8 | 0x28c | PGP symmetric key encrypted data - Plaintext or unencrypted data | English | United States | 0.49233128834355827 |
RT_MANIFEST | 0xaf9848 | 0x48f | XML 1.0 document, ASCII text | 0.40102827763496146 |
DLL | Import |
---|---|
ADVAPI32.dll | AdjustTokenPrivileges, AllocateAndInitializeSid, CloseServiceHandle, ControlService, CreateServiceW, CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptEnumProvidersW, CryptExportKey, CryptGenRandom, CryptGetProvParam, CryptGetUserKey, CryptReleaseContext, CryptSetHashParam, CryptSignHashW, DeleteService, DeregisterEventSource, FreeSid, GetSecurityInfo, GetTokenInformation, GetUserNameW, LookupPrivilegeValueW, LsaAddAccountRights, LsaClose, LsaOpenPolicy, OpenProcessToken, OpenSCManagerW, OpenServiceW, QueryServiceConfigA, QueryServiceStatus, RegCloseKey, RegGetValueW, RegOpenKeyExW, RegQueryValueExW, RegisterEventSourceW, ReportEventW, SetEntriesInAclA, SetSecurityInfo, StartServiceW, SystemFunction036 |
CRYPT32.dll | CertCloseStore, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertOpenStore |
IPHLPAPI.DLL | ConvertInterfaceIndexToLuid, ConvertInterfaceLuidToNameW, GetAdaptersAddresses |
KERNEL32.dll | AcquireSRWLockExclusive, AcquireSRWLockShared, AddVectoredExceptionHandler, AssignProcessToJobObject, CancelIo, CancelIoEx, CancelSynchronousIo, CloseHandle, ConnectNamedPipe, ConvertFiberToThread, ConvertThreadToFiber, CopyFileW, CreateDirectoryW, CreateEventA, CreateFiber, CreateFileA, CreateFileMappingA, CreateFileW, CreateHardLinkW, CreateIoCompletionPort, CreateJobObjectW, CreateNamedPipeA, CreateNamedPipeW, CreateProcessW, CreateSemaphoreA, CreateSymbolicLinkW, CreateToolhelp32Snapshot, DebugBreak, DeleteCriticalSection, DeleteFiber, DeviceIoControl, DuplicateHandle, EnterCriticalSection, ExpandEnvironmentStringsA, FileTimeToSystemTime, FillConsoleOutputAttribute, FillConsoleOutputCharacterW, FindClose, FindFirstFileW, FindNextFileW, FindResourceW, FlushFileBuffers, FlushInstructionCache, FlushViewOfFile, FormatMessageA, FormatMessageW, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetComputerNameA, GetConsoleCursorInfo, GetConsoleMode, GetConsoleScreenBufferInfo, GetConsoleTitleW, GetConsoleWindow, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDiskFreeSpaceW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesA, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileSizeEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetHandleInformation, GetLargePageMinimum, GetLastError, GetLongPathNameW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNamedPipeHandleStateA, GetNativeSystemInfo, GetNumberOfConsoleInputEvents, GetPriorityClass, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetQueuedCompletionStatus, GetShortPathNameW, GetStartupInfoA, GetStartupInfoW, GetStdHandle, GetSystemFirmwareTable, GetSystemInfo, GetSystemPowerStatus, GetSystemTime, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount, GetTickCount64, GetVersion, GetVersionExA, GetVersionExW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, InitializeConditionVariable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, K32GetProcessMemoryInfo, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LoadResource, LocalAlloc, LocalFree, LockResource, MapViewOfFile, MoveFileExW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryPerformanceCounter, QueryPerformanceFrequency, QueueUserWorkItem, RaiseException, ReOpenFile, ReadConsoleA, ReadConsoleInputW, ReadConsoleW, ReadDirectoryChangesW, ReadFile, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSRWLockShared, ReleaseSemaphore, RemoveDirectoryW, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetConsoleCtrlHandler, SetConsoleCursorInfo, SetConsoleCursorPosition, SetConsoleMode, SetConsoleTextAttribute, SetConsoleTitleA, SetConsoleTitleW, SetCurrentDirectoryW, SetEnvironmentVariableW, SetErrorMode, SetEvent, SetFileCompletionNotificationModes, SetFilePointerEx, SetFileTime, SetHandleInformation, SetInformationJobObject, SetLastError, SetNamedPipeHandleState, SetPriorityClass, SetProcessAffinityMask, SetSystemTime, SetThreadAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SizeofResource, Sleep, SleepConditionVariableCS, SuspendThread, SwitchToFiber, SwitchToThread, SystemTimeToFileTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, TryAcquireSRWLockShared, TryEnterCriticalSection, UnmapViewOfFile, UnregisterWait, UnregisterWaitEx, VerSetConditionMask, VerifyVersionInfoA, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeW, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleInputW, WriteConsoleW, WriteFile, __C_specific_handler |
msvcrt.dll | ___lc_codepage_func, ___mb_cur_max_func, __argv, __doserrno, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _assert, _beginthreadex, _cexit, _close, _close, _commode, _endthreadex, _errno, _exit, _fdopen, _filelengthi64, _fileno, _findclose, _fileno, _findfirst64, _findnext64, _fmode, _fstat64, _fullpath, _get_osfhandle, _gmtime64, _initterm, _isatty, _localtime64, _lock, _lseeki64, _mkdir, _onexit, _open, _open_osfhandle, _read, _read, _setjmp, _setmode, _snwprintf, _stat64, _stricmp, _strdup, _strdup, _strnicmp, _time64, _ultoa, _unlock, _umask, _vscprintf, _vsnprintf, _vsnwprintf, _wchmod, _wcsdup, _wcsnicmp, _wcsrev, _wfopen, _wopen, _write, _wrmdir, abort, atof, atoi, calloc, exit, fclose, feof, ferror, fflush, fgetpos, fgets, fopen, fprintf, fputc, fputs, fread, free, fseek, fsetpos, ftell, fwrite, getc, getenv, getwc, islower, isspace, isupper, iswctype, isxdigit, _write, localeconv, longjmp, malloc, memchr, memcmp, memcpy, memmove, memset, printf, putc, putwc, qsort, raise, realloc, rand, setlocale, setvbuf, signal, sprintf, srand, strcat, strchr, strcmp, strcoll, strcpy, strcspn, strerror, strftime, strlen, strncmp, strncpy, strrchr, strspn, strstr, strtol, strtoul, strxfrm, tolower, toupper, towlower, towupper, ungetc, vfprintf, ungetwc, wcschr, wcscmp, wcscoll, wcscpy, wcsftime, wcslen, wcsncmp, wcsncpy, wcspbrk, wcsrchr, wcsstr, wcstombs, wcsxfrm |
ole32.dll | CoCreateInstance, CoInitializeEx, CoUninitialize |
SHELL32.dll | SHGetSpecialFolderPathA |
USER32.dll | DispatchMessageA, GetLastInputInfo, GetMessageA, GetProcessWindowStation, GetSystemMetrics, GetUserObjectInformationW, MapVirtualKeyW, MessageBoxW, ShowWindow, TranslateMessage |
USERENV.dll | GetUserProfileDirectoryW |
WS2_32.dll | FreeAddrInfoW, GetAddrInfoW, WSACleanup, WSADuplicateSocketW, WSAGetLastError, WSAGetOverlappedResult, WSAIoctl, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSASetLastError, WSASocketW, WSAStartup, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyname, gethostname, getnameinfo, getpeername, getsockname, getsockopt, htonl, htons, ioctlsocket, listen, ntohs, recv, select, send, setsockopt, shutdown, socket |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 12:55:57 |
Start date: | 28/09/2023 |
Path: | C:\Users\user\Desktop\xmrig.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff77de30000 |
File size: | 8'251'392 bytes |
MD5 hash: | 4813FA6D610E180B097EAE0CE636D2AA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 12:55:58 |
Start date: | 28/09/2023 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff78b990000 |
File size: | 873'472 bytes |
MD5 hash: | 86191D9E0E30631DB3E78E4645804358 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |