Windows Analysis Report
GoogleCrashHandler.exe

Overview

General Information

Sample Name: GoogleCrashHandler.exe
Analysis ID: 1343785
MD5: c24a1dabb1317bf50bac152886909815
SHA1: 06e7057329969bd1e784998844c0edcf2217f687
SHA256: 094e85e0a3de0e0c907c942f6cb4d97ee434d2a7db81a4a19da65a4cd010c3f5
Tags: exeGuLoaderXMRig
Infos:

Detection

Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Tries to detect sandboxes and other dynamic analysis tools (window names)
Query firmware table information (likely to detect VMs)
Detected Stratum mining protocol
Machine Learning detection for sample
PE file has nameless sections
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Entry point lies outside standard sections
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Checks for debuggers (devices)
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: GoogleCrashHandler.exe ReversingLabs: Detection: 42%
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Avira: detection malicious, Label: HEUR/AGEN.1311584
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe ReversingLabs: Detection: 48%
Machine Learning detection for sample
Source: GoogleCrashHandler.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: dump.pcap, type: PCAP
Detected Stratum mining protocol
Source: global traffic TCP traffic: 192.168.2.4:49825 -> 54.83.130.110:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 52 32 33 31 31 22 2c 22 70 61 73 73 22 3a 22 78 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 32 30 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 72 78 2f 30 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"r2311","pass":"x","agent":"xmrig/6.20.0 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}
Source: global traffic TCP traffic: 192.168.2.4:50248 -> 54.83.130.110:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 52 32 33 31 31 22 2c 22 70 61 73 73 22 3a 22 78 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 32 30 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 72 78 2f 30 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"r2311","pass":"x","agent":"xmrig/6.20.0 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}
Source: global traffic TCP traffic: 192.168.2.4:49729 -> 44.224.209.130:10128 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"87usmauogm8werbout1hceqfdd8vvxdiec4npg3nqx8qfsunb1djrrwae3ujxlxzbxsmc8srxhfz3xy6edxrw72hnxdgkul","pass":"x","agent":"xmrig/6.20.0 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic TCP traffic: 192.168.2.4:49824 -> 44.224.209.130:10128 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"87usmauogm8werbout1hceqfdd8vvxdiec4npg3nqx8qfsunb1djrrwae3ujxlxzbxsmc8srxhfz3xy6edxrw72hnxdgkul","pass":"x","agent":"xmrig/6.20.0 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic TCP traffic: 192.168.2.4:50071 -> 44.224.209.130:10128 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"87usmauogm8werbout1hceqfdd8vvxdiec4npg3nqx8qfsunb1djrrwae3ujxlxzbxsmc8srxhfz3xy6edxrw72hnxdgkul","pass":"x","agent":"xmrig/6.20.0 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic TCP traffic: 192.168.2.4:50249 -> 44.224.209.130:10128 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"87usmauogm8werbout1hceqfdd8vvxdiec4npg3nqx8qfsunb1djrrwae3ujxlxzbxsmc8srxhfz3xy6edxrw72hnxdgkul","pass":"x","agent":"xmrig/6.20.0 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Uses 32bit PE files
Source: GoogleCrashHandler.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 4x nop then dec ecx 5_2_0000018429B90000
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 4x nop then dec ecx 5_2_0000018429B9367D
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 4x nop then dec ecx 5_2_0000018429B9767D
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 4x nop then dec ecx 5_2_0000018429B9B67D
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 4x nop then dec ecx 5_2_0000018429B9F67D
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 4x nop then dec ecx 5_2_0000018429BA367D
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 44.224.209.130 44.224.209.130
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49729 -> 44.224.209.130:10128
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: GoogleCrashHandler.exe String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: GoogleCrashHandler.exe String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: GoogleCrashHandler.exe String found in binary or memory: http://pki-ocsp.symauth.com0
Source: GoogleCrashHandler.exe, 00000000.00000002.4091844936.000000000040A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.abyssmedia.com
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.enigmaprotector.com/
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.enigmaprotector.com/openU
Source: dIlhost.exe, 00000005.00000000.1647845111.00007FF7E93E4000.00000080.00000001.01000000.00000005.sdmp, dIlhost.exe.0.dr String found in binary or memory: https://enigmaprotector.com/taggant/spv.crl0
Source: dIlhost.exe, 00000005.00000000.1647845111.00007FF7E93E4000.00000080.00000001.01000000.00000005.sdmp, dIlhost.exe.0.dr String found in binary or memory: https://enigmaprotector.com/taggant/user.crl0
Source: unknown DNS traffic detected: queries for: gulf.moneroocean.stream

System Summary
barindex
PE file has nameless sections
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Uses 32bit PE files
Source: GoogleCrashHandler.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 5_2_0000018429B90000 5_2_0000018429B90000
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 5_2_0000018429BA02F3 5_2_0000018429BA02F3
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 5_2_0000018429B902F3 5_2_0000018429B902F3
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 5_2_0000018429B942F3 5_2_0000018429B942F3
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 5_2_0000018429B982F3 5_2_0000018429B982F3
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 5_2_0000018429B9C2F3 5_2_0000018429B9C2F3
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 5_2_0000018429B9367D 5_2_0000018429B9367D
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 5_2_0000018429B9767D 5_2_0000018429B9767D
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 5_2_0000018429B9B67D 5_2_0000018429B9B67D
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 5_2_0000018429B9F67D 5_2_0000018429B9F67D
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Code function: 5_2_0000018429BA367D 5_2_0000018429BA367D
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: String function: 0041D2AC appears 85 times
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Process Stats: CPU usage > 49%
Sample file is different than original file name gathered from version info
Source: GoogleCrashHandler.exe, 00000000.00000002.4092388894.0000000000417000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameGoogleUpdate.exe< vs GoogleCrashHandler.exe
Source: GoogleCrashHandler.exe Binary or memory string: OriginalFilenameGoogleUpdate.exe< vs GoogleCrashHandler.exe
PE file contains more sections than normal
Source: GoogleCrashHandler.exe Static PE information: Number of sections : 12 > 10
Source: dIlhost.exe.0.dr Static PE information: Number of sections : 13 > 10
Source: dIlhost.exe.0.dr Static PE information: Section: ZLIB complexity 1.0003164095631891
Source: dIlhost.exe.0.dr Static PE information: Section: ZLIB complexity 1.0071614583333333
Source: GoogleCrashHandler.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe File read: C:\Users\user\Desktop\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\GoogleCrashHandler.exe C:\Users\user\Desktop\GoogleCrashHandler.exe
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ""C:\Users\user\AppData\Local\Temp\52525UWJ.bat" "C:\Users\user\Desktop\GoogleCrashHandler.exe""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe FINDSTR /I "dIlhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\dIlhost.exe C:\Users\user\AppData\Local\Temp\dIlhost.exe
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ""C:\Users\user\AppData\Local\Temp\52525UWJ.bat" "C:\Users\user\Desktop\GoogleCrashHandler.exe"" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe FINDSTR /I "dIlhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\dIlhost.exe C:\Users\user\AppData\Local\Temp\dIlhost.exe Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe File created: C:\Users\user\AppData\Local\Temp\evbAB77.tmp Jump to behavior
Source: classification engine Classification label: mal100.evad.mine.winEXE@10/2@5/2
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ""C:\Users\user\AppData\Local\Temp\52525UWJ.bat" "C:\Users\user\Desktop\GoogleCrashHandler.exe""
Source: GoogleCrashHandler.exe Static file information: File size 7058944 > 1048576
Source: GoogleCrashHandler.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x5c5400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Unpacked PE file: 0.2.GoogleCrashHandler.exe.400000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:W;Unknown_Section4:EW;Unknown_Section5:W;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;.rsrc:EW;Unknown_Section10:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:ER;Unknown_Section2:W;Unknown_Section3:W;Unknown_Section4:W;Unknown_Section5:W;Unknown_Section6:R;Unknown_Section7:R;Unknown_Section8:R;.rsrc:EW;Unknown_Section10:EW;.data:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_004383A8 push ecx; mov dword ptr [esp], ecx 0_2_004383AD
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_004327D8 push 00432838h; ret 0_2_00432830
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_0043288E push 004329DCh; ret 0_2_004329D4
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_004309C0 push 00430A36h; ret 0_2_00430A2E
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00430A38 push 00430AE0h; ret 0_2_00430AD8
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00420AC8 push ecx; mov dword ptr [esp], eax 0_2_00420AC9
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00430AE2 push 00430B30h; ret 0_2_00430B28
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00432ABC push ecx; mov dword ptr [esp], ecx 0_2_00432ABF
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00430B86 push 00430B30h; ret 0_2_00430B28
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00420D72 push 00420DA0h; ret 0_2_00420D98
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00432D2C push ecx; mov dword ptr [esp], ecx 0_2_00432D2E
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00428DDC push ecx; mov dword ptr [esp], edx 0_2_00428DE1
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00420DAC push 00420DD8h; ret 0_2_00420DD0
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00420ED4 push 00420F00h; ret 0_2_00420EF8
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_0043D1CC push ecx; mov dword ptr [esp], edx 0_2_0043D1CE
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_004352D8 push ecx; mov dword ptr [esp], eax 0_2_004352D9
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00429308 push 00429754h; ret 0_2_0042974C
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_0042147A push 004214A8h; ret 0_2_004214A0
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_004214EC push 00421518h; ret 0_2_00421510
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_004214B4 push 004214E0h; ret 0_2_004214D8
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00421524 push 00421550h; ret 0_2_00421548
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_0043553C push ecx; mov dword ptr [esp], edx 0_2_00435541
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_004395D4 push ecx; mov dword ptr [esp], edx 0_2_004395D6
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00421588 push 004215BCh; ret 0_2_004215B4
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_0041F630 push 0041F681h; ret 0_2_0041F679
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00429756 push 004297C7h; ret 0_2_004297BF
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_00435764 push ecx; mov dword ptr [esp], edx 0_2_00435769
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_0043F844 push ecx; mov dword ptr [esp], edx 0_2_0043F849
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_004358C4 push ecx; mov dword ptr [esp], edx 0_2_004358C9
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_004298DA push 00429908h; ret 0_2_00429900
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_0041F8EA push 0041F918h; ret 0_2_0041F910
PE file contains sections with non-standard names
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: GoogleCrashHandler.exe Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Source: dIlhost.exe.0.dr Static PE information: section name:
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: GoogleCrashHandler.exe Static PE information: real checksum: 0x10c15 should be: 0x6bbd37
Source: dIlhost.exe.0.dr Static PE information: real checksum: 0x5348f1 should be: 0x533198
Source: initial sample Static PE information: section name: entropy: 7.969468912561136
Source: initial sample Static PE information: section name: entropy: 7.279577688751389
Source: initial sample Static PE information: section name: entropy: 7.701110638780281
Source: initial sample Static PE information: section name: entropy: 6.884518743861056
Source: initial sample Static PE information: section name: .data entropy: 7.976640387117388
Source: initial sample Static PE information: section name: entropy: 7.999651368090147
Source: initial sample Static PE information: section name: entropy: 7.865777777880038
Source: initial sample Static PE information: section name: entropy: 7.8901023678560795
Source: initial sample Static PE information: section name: entropy: 7.793527302881189
Source: initial sample Static PE information: section name: entropy: 7.953916204328331
Drops PE files
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe File created: C:\Users\user\AppData\Local\Temp\dIlhost.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe System information queried: FirmwareTableInformation Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe TID: 2932 Thread sleep count: 445 > 30 Jump to behavior
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe TID: 4484 Thread sleep count: 9265 > 30 Jump to behavior
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe TID: 4484 Thread sleep time: -9265000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe TID: 8 Thread sleep count: 219 > 30 Jump to behavior
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe TID: 8 Thread sleep time: -219000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe TID: 4484 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe TID: 4484 Thread sleep time: -47000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe TID: 6844 Thread sleep count: 354 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe TID: 3612 Thread sleep count: 9360 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe TID: 3612 Thread sleep time: -9360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe TID: 1260 Thread sleep count: 236 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe TID: 1260 Thread sleep time: -236000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Window / User API: threadDelayed 445 Jump to behavior
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Window / User API: threadDelayed 9265 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Window / User API: threadDelayed 354 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Window / User API: threadDelayed 9360 Jump to behavior
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V (guest)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000575000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ~VirtualMachineTypes
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000575000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000575000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: dIlhost.exe, 00000005.00000002.4095350607.000001842A5ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VBoxService.exe
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-VU
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VMWare
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: GoogleCrashHandler.exe, GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: GoogleCrashHandler.exe, 00000000.00000002.4092495212.0000000000419000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Open window title or class name: ollydbg
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dIlhost.exe Process queried: DebugPort Jump to behavior
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe File opened: SIWDEBUG
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe File opened: NTICE
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe File opened: SICE
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ""C:\Users\user\AppData\Local\Temp\52525UWJ.bat" "C:\Users\user\Desktop\GoogleCrashHandler.exe"" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe FINDSTR /I "dIlhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\dIlhost.exe C:\Users\user\AppData\Local\Temp\dIlhost.exe Jump to behavior
Source: conhost.exe, 00000002.00000002.4094048349.000001CAFE350000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000002.00000002.4094048349.000001CAFE350000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: conhost.exe, 00000002.00000002.4094048349.000001CAFE350000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: conhost.exe, 00000002.00000002.4094048349.000001CAFE350000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Source: C:\Users\user\Desktop\GoogleCrashHandler.exe Code function: 0_2_004259D4 GetLocalTime, 0_2_004259D4
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1343785 Sample: GoogleCrashHandler.exe Startdate: 16/11/2023 Architecture: WINDOWS Score: 100 26 monerooceans.stream 2->26 28 xmr.shinrarigs.com 2->28 30 2 other IPs or domains 2->30 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Xmrig cryptocurrency miner 2->38 40 Machine Learning detection for sample 2->40 42 2 other signatures 2->42 8 GoogleCrashHandler.exe 3 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\dIlhost.exe, PE32+ 8->24 dropped 44 Detected unpacking (changes PE section rights) 8->44 46 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->46 48 Hides threads from debuggers 8->48 12 cmd.exe 1 8->12         started        signatures6 process7 process8 14 dIlhost.exe 2 12->14         started        18 conhost.exe 12->18         started        20 tasklist.exe 1 12->20         started        22 findstr.exe 1 12->22         started        dnsIp9 32 monerooceans.stream 44.224.209.130, 10128, 49729, 49737 AMAZON-02US United States 14->32 34 shinrafarm-c806d54b3bcf0f24.elb.us-east-1.amazonaws.com 54.83.130.110, 49742, 49744, 49746 AMAZON-AESUS United States 14->34 50 Antivirus detection for dropped file 14->50 52 Multi AV Scanner detection for dropped file 14->52 54 Query firmware table information (likely to detect VMs) 14->54 56 Hides threads from debuggers 14->56 signatures10 58 Detected Stratum mining protocol 34->58
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.83.130.110
 shinrafarm-c806d54b3bcf0f24.elb.us-east-1.amazonaws.com United States
14618 AMAZON-AESUS false
44.224.209.130
 monerooceans.stream United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
monerooceans.stream 44.224.209.130 true
shinrafarm-c806d54b3bcf0f24.elb.us-east-1.amazonaws.com 54.83.130.110 true
gulf.moneroocean.stream unknown unknown
xmr.shinrarigs.com unknown unknown