Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KVAoyRsrZC.exe

Overview

General Information

Sample name:KVAoyRsrZC.exe
renamed because original name is a hash value
Original sample name:898e1da2e8cd2b209e90b5aa9f662b13e96a412238059d9b925d023f00a43b2f.exe
Analysis ID:1467024
MD5:7584a2cb74c2018e63e3d0eca65d8c61
SHA1:34eab33535798fada3565de8d8ed20a88b788895
SHA256:898e1da2e8cd2b209e90b5aa9f662b13e96a412238059d9b925d023f00a43b2f
Tags:CoinMinerexe
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Process Tree

  • System is w10x64
  • KVAoyRsrZC.exe (PID: 7852 cmdline: "C:\Users\user\Desktop\KVAoyRsrZC.exe" MD5: 7584A2CB74C2018E63E3D0ECA65D8C61)
  • svchost.exe (PID: 7952 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • Sgrmuserer.exe (PID: 7992 cmdline: C:\Windows\system32\Sgrmuserer.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 8008 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 8068 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 8124 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 8136 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 7868 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 1636 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7952, ProcessName: svchost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: KVAoyRsrZC.exeReversingLabs: Detection: 75%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: KVAoyRsrZC.exeJoe Sandbox ML: detected

Bitcoin Miner

barindex
Detected Stratum mining protocol
Source: global trafficTCP traffic: 192.168.2.10:49707 -> 185.10.68.220:443 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 58 6d 72 69 67 42 65 74 61 32 22 2c 22 70 61 73 73 22 3a 22 22 2c 22 61 67 65 6e 74 22 3a 22 53 65 72 76 69 63 65 73 20 61 6e 64 20 43 6f 6e 74 72 6f 6c 6c 65 72 20 61 70 70 2f 31 30 2e 30 2e 31 37 31 33 34 2e 31 20 28 57 69 6e 42 75 69 6c 64 2e 31 36 30 31 30 31 2e 30 38 30 30 29 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 31 39 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"xmrigbeta2","pass":"","agent":"services and controller app/10.0.17134.1 (winbuild.160101.0800) (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/1","cn/2","cn/r","cn/fast","cn/hal
Source: KVAoyRsrZC.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Joe Sandbox ViewASN Name: FLOKINETSC FLOKINETSC
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: eu.minerpool.pw
Source: svchost.exe, 00000006.00000002.3719124683.00000157D5718000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3718853152.00000157D4E87000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.6.drString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: svchost.exe, 00000002.00000002.1413554942.0000022EE5C13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1419687822.0000022EE5C59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000002.00000003.1366025641.0000022EE5C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1416429792.0000022EE5C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1425656926.0000022EE5C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1422519922.0000022EE5C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1371558076.0000022EE5C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365997299.0000022EE5C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000002.1425656926.0000022EE5C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365997299.0000022EE5C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000002.00000002.1423303079.0000022EE5C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366013522.0000022EE5C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1377212073.0000022EE5C6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000002.00000002.1425656926.0000022EE5C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365997299.0000022EE5C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000002.00000003.1366025641.0000022EE5C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1415329851.0000022EE5C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1371558076.0000022EE5C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1378615730.0000022EE5C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000002.00000002.1423303079.0000022EE5C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1415329851.0000022EE5C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366013522.0000022EE5C67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000002.00000003.1366025641.0000022EE5C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1415329851.0000022EE5C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1378615730.0000022EE5C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000002.00000002.1416429792.0000022EE5C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000002.00000003.1366025641.0000022EE5C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1416429792.0000022EE5C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1422519922.0000022EE5C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000002.00000002.1416429792.0000022EE5C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tilep
Source: svchost.exe, 00000002.00000003.1373180241.0000022EE5C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000002.00000003.1366025641.0000022EE5C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1422519922.0000022EE5C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000002.00000002.1416429792.0000022EE5C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366059088.0000022EE5C5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000002.00000003.1365997299.0000022EE5C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000002.00000003.1265356760.0000022EE5C36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000002.00000002.1415329851.0000022EE5C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366013522.0000022EE5C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1377212073.0000022EE5C6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000002.00000003.1373180241.0000022EE5C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000002.00000003.1373180241.0000022EE5C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000002.00000002.1415329851.0000022EE5C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1419687822.0000022EE5C59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeProcess Stats: CPU usage > 49%
Source: KVAoyRsrZC.exe, 00000000.00000000.1250351685.00007FF635EB0000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameservice.exeX vs KVAoyRsrZC.exe
Source: KVAoyRsrZC.exeBinary or memory string: OriginalFilenameservice.exeX vs KVAoyRsrZC.exe
Source: KVAoyRsrZC.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9991674198365293
Source: classification engineClassification label: mal72.evad.mine.winEXE@11/2@1/1
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeMutant created: \Sessions\1\BaseNamedObjects\4pC39Ev2yuzFY8izw76DGDJR
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5820:120:WilError_03
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: KVAoyRsrZC.exeReversingLabs: Detection: 75%
Source: unknownProcess created: C:\Users\user\Desktop\KVAoyRsrZC.exe "C:\Users\user\Desktop\KVAoyRsrZC.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\Sgrmuserer.exe C:\Windows\system32\Sgrmuserer.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsusererclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
Source: KVAoyRsrZC.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: KVAoyRsrZC.exeStatic file information: File size 1631744 > 1048576
Source: KVAoyRsrZC.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x18da00
Source: KVAoyRsrZC.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: KVAoyRsrZC.exe, 00000000.00000002.3718142847.0000020002623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: KVAoyRsrZC.exe, 00000000.00000002.3718142847.0000020002623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE:
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeWindow / User API: threadDelayed 2155Jump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exe TID: 7928Thread sleep count: 2155 > 30Jump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exe TID: 7928Thread sleep time: -1077500s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: svchost.exe, 00000005.00000002.3718341423.000001879E84B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3718814320.000001879E87E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3718814320.000001879E864000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
Source: svchost.exe, 00000005.00000002.3718341423.000001879E84B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: KVAoyRsrZC.exe, 00000000.00000002.3718142847.0000020002638000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.3718074296.000001879E82B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000005.00000002.3717763998.000001879E802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000005.00000002.3718976583.000001879E902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: KVAoyRsrZC.exe, 00000000.00000002.3718142847.0000020002638000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWB~z1
Source: svchost.exe, 00000005.00000002.3718341423.000001879E84B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\KVAoyRsrZC.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
Source: svchost.exe, 00000007.00000002.3719332184.000002C43EB02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: KVAoyRsrZC.exe, 00000000.00000002.3718142847.0000020002623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
Source: svchost.exe, 00000007.00000002.3719332184.000002C43EB02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: KVAoyRsrZC.exe, 00000000.00000002.3718142847.0000020002623000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Procmon.exe
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		1
Disable or Modify Tools		OS Credential Dumping241
Security Software Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		13
Virtualization/Sandbox Evasion		LSASS Memory13
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
Software Packing		LSA Secrets22
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
KVAoyRsrZC.exe75%ReversingLabsWin64.Trojan.DisguisedXMRigMiner
KVAoyRsrZC.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://dev.ditu.live.com/REST/v1/Routes/0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Routes/Driving0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/0%Avira URL Cloudsafe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx0%Avira URL Cloudsafe
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx0%Avira URL Cloudsafe
https://dynamic.api.tilep0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Routes/0%Avira URL Cloudsafe
https://dev.ditu.live.com/REST/v1/Transit/Stops/0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Routes/Walking0%Avira URL Cloudsafe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Locations0%Avira URL Cloudsafe
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/0%Avira URL Cloudsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=0%Avira URL Cloudsafe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=0%Avira URL Cloudsafe
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?0%Avira URL Cloudsafe
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/0%Avira URL Cloudsafe
https://dev.virtualearth.net/mapcontrol/logging.ashx0%Avira URL Cloudsafe
http://standards.iso.org/iso/19770/-2/2009/schema.xsd0%Avira URL Cloudsafe
https://dev.ditu.live.com/mapcontrol/logging.ashx0%Avira URL Cloudsafe
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/0%Avira URL Cloudsafe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=0%Avira URL Cloudsafe
https://dynamic.t0%Avira URL Cloudsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=0%Avira URL Cloudsafe
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Routes/Transit0%Avira URL Cloudsafe
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=0%Avira URL Cloudsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=0%Avira URL Cloudsafe
https://dev.ditu.live.com/REST/v1/Locations0%Avira URL Cloudsafe
http://www.bingmapsportal.com0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Transit/Schedules/0%Avira URL Cloudsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=0%Avira URL Cloudsafe
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/0%Avira URL Cloudsafe
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
eu.minerpool.pw
91.92.248.9
truefalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000002.00000002.1423303079.0000022EE5C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366013522.0000022EE5C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1377212073.0000022EE5C6A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000002.00000002.1425656926.0000022EE5C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365997299.0000022EE5C6D000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dynamic.api.tilepsvchost.exe, 00000002.00000002.1416429792.0000022EE5C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000002.00000002.1423303079.0000022EE5C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1415329851.0000022EE5C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366013522.0000022EE5C67000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000002.00000003.1366025641.0000022EE5C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1415329851.0000022EE5C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1378615730.0000022EE5C66000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000002.00000003.1373180241.0000022EE5C47000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000002.00000002.1416429792.0000022EE5C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366059088.0000022EE5C5E000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000002.00000003.1366025641.0000022EE5C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1416429792.0000022EE5C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1422519922.0000022EE5C63000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000002.00000003.1373180241.0000022EE5C47000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000002.00000003.1265356760.0000022EE5C36000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1419687822.0000022EE5C59000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://standards.iso.org/iso/19770/-2/2009/schema.xsdsvchost.exe, 00000006.00000002.3719124683.00000157D5718000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3718853152.00000157D4E87000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.6.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000002.00000003.1366025641.0000022EE5C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1416429792.0000022EE5C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1425656926.0000022EE5C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1422519922.0000022EE5C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1371558076.0000022EE5C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365997299.0000022EE5C6D000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000002.00000002.1415329851.0000022EE5C2B000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000002.00000002.1416429792.0000022EE5C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1374550345.0000022EE5C41000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dynamic.tsvchost.exe, 00000002.00000003.1365997299.0000022EE5C6D000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1419687822.0000022EE5C59000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000002.00000003.1366025641.0000022EE5C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1422519922.0000022EE5C63000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.bingmapsportal.comsvchost.exe, 00000002.00000002.1413554942.0000022EE5C13000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000002.00000003.1366025641.0000022EE5C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366081893.0000022EE5C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1415329851.0000022EE5C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1371558076.0000022EE5C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1378615730.0000022EE5C66000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000002.00000002.1415329851.0000022EE5C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366013522.0000022EE5C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1377212073.0000022EE5C6A000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000002.00000002.1425656926.0000022EE5C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365997299.0000022EE5C6D000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000002.00000003.1373180241.0000022EE5C47000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    185.10.68.220
    		unknownSeychelles
    		200651FLOKINETSCtrue

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1467024
    Start date and time:2024-07-03 16:33:26 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 41s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:13
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:KVAoyRsrZC.exe
    renamed because original name is a hash value
    Original Sample Name:898e1da2e8cd2b209e90b5aa9f662b13e96a412238059d9b925d023f00a43b2f.exe
    Detection:MAL
    Classification:mal72.evad.mine.winEXE@11/2@1/1
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
    • VT rate limit hit for: KVAoyRsrZC.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    10:35:18API Interceptor1x Sleep call for process: MpCmdRun.exe modified
    10:35:24API Interceptor2137x Sleep call for process: KVAoyRsrZC.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    eu.minerpool.pwjava.exeGet hashmaliciousUnknownBrowse
    • 107.182.129.82
    java.exeGet hashmaliciousUnknownBrowse
    • 107.182.129.82
    java.exeGet hashmaliciousUnknownBrowse
    • 107.182.129.82

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    FLOKINETSCfonts-utilGet hashmaliciousUnknownBrowse
    • 185.100.86.182
    fonts-utilGet hashmaliciousUnknownBrowse
    • 185.100.86.182
    cups-utils-helperGet hashmaliciousUnknownBrowse
    • 185.100.86.100
    Untitled.msgGet hashmaliciousUnknownBrowse
    • 185.247.226.149
    http://185.165.171.84Get hashmaliciousUnknownBrowse
    • 185.165.171.84
    http://www.enkeltfornya.com/Get hashmaliciousUnknownBrowse
    • 185.165.170.250
    http://kierwright.comGet hashmaliciousUnknownBrowse
    • 37.228.129.15
    http://malnutritionandfoodfirst.rdash.nhs.ukGet hashmaliciousUnknownBrowse
    • 37.228.129.15
    https://www.msw-consultants.com/Get hashmaliciousUnknownBrowse
    • 37.228.129.15
    https://dmfatlanta.comGet hashmaliciousUnknownBrowse
    • 37.228.129.15

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

    Download File
    Process:C:\Windows\System32\svchost.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
    Category:dropped
    Size (bytes):999
    Entropy (8bit):4.966299883488245
    Encrypted:false
    SSDEEP:24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
    MD5:24567B9212F806F6E3E27CDEB07728C0
    SHA1:371AE77042FFF52327BF4B929495D5603404107D
    SHA-256:82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
    SHA-512:5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

    Download File
    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:modified
    Size (bytes):4926
    Entropy (8bit):3.246386262290388
    Encrypted:false
    SSDEEP:48:FaqdF7w8l0+AAHdKoqKFxcxkF28lraqdF7S5d+AAHdKoqKFxcxkFs541:cEG+AAsoJjykcESz+AAsoJjykCc
    MD5:6187A083CA87A01D0FC11D8DD2933E69
    SHA1:E739F950CC94B27293674320D808A8063E1997F6
    SHA-256:AA8298F1421E138321F6197F33FD0143D6CD8D6A158B61208C1B3626A97CD1D0
    SHA-512:31589D2EFD8AF9636D926BC064FC6DC9F12A77230A9A3F735BDE83FCB9F18B33D3BC84253BB6FC1F4D13251B4AC8387B18FDDDA5AD7C0B80494307D93EB3FCA0
    Malicious:false
    Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. O.c.t. .. 0.5. .. 2.0.2.3. .1.2.:.2.8.:.3.6.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
    Entropy (8bit):7.999463374154621
    TrID:
    • UPX compressed Win32 Executable (30571/9) 65.62%
    • Win64 Executable (generic) (12005/4) 25.77%
    • Generic Win/DOS Executable (2004/3) 4.30%
    • DOS Executable Generic (2002/1) 4.30%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.02%
    File name:KVAoyRsrZC.exe
    File size:1'631'744 bytes
    MD5:7584a2cb74c2018e63e3d0eca65d8c61
    SHA1:34eab33535798fada3565de8d8ed20a88b788895
    SHA256:898e1da2e8cd2b209e90b5aa9f662b13e96a412238059d9b925d023f00a43b2f
    SHA512:55a79ddea2935cb3cd1044dd692dc2b7b2e356a4a87cedb4fa56f5ac20a6c7966cc0599dbd6133f6a9d47c0dd6d51ea856824e8781b567f5a4ef1a8b2df6cb26
    SSDEEP:24576:lavo/YFhnivTP0lhLuFEFotb0XUGH0gUu2ZfdOPAklQuYi/X+LT:lEo/Ul0atGYUGHv92ZfY5l3j/uL
    TLSH:5F7533B422F325ACF04536BFE304F1F56B62F0AC6736721ACE24277F08266459297A57
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....'{f..........................[...s.. [....@..............................t...........`................................

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x14073ebc0
    Entrypoint Section:UPX1
    Digitally signed:false
    Imagebase:0x140000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x667B2705 [Tue Jun 25 20:22:29 2024 UTC]
    TLS Callbacks:0x4073f779, 0x1
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:bb388b5fb16beacfa2a7403d25eaa8c4

    Entrypoint Preview

    Instruction
    push ebx
    push esi
    push edi
    push ebp
    dec eax
    lea esi, dword ptr [FFE7345Ah]
    dec eax
    lea edi, dword ptr [esi-005B1025h]
    dec eax
    lea eax, dword ptr [edi+006F6244h]
    push dword ptr [eax]
    mov dword ptr [eax], B030AB2Bh
    push eax
    push edi
    mov eax, 0073C4F3h
    push eax
    dec eax
    mov ecx, esp
    dec eax
    mov edx, edi
    dec eax
    mov edi, esi
    mov esi, 0018CB95h
    push ebp
    dec eax
    mov ebp, esp
    inc esp
    mov ecx, dword ptr [ecx]
    dec ecx
    mov eax, edx
    dec eax
    mov edx, esi
    dec eax
    lea esi, dword ptr [edi+02h]
    push esi
    mov al, byte ptr [edi]
    dec edx
    mov cl, al
    and al, 07h
    shr cl, 00000003h
    dec eax
    mov ebx, FFFFFD00h
    dec eax
    shl ebx, cl
    mov cl, al
    dec eax
    lea ebx, dword ptr [esp+ebx*2-00000E78h]
    dec eax
    and ebx, FFFFFFC0h
    push 00000000h
    dec eax
    cmp esp, ebx
    jne 00007F05908DF61Bh
    push ebx
    dec eax
    lea edi, dword ptr [ebx+08h]
    mov cl, byte ptr [esi-01h]
    dec edx
    mov byte ptr [edi+02h], al
    mov al, cl
    shr cl, 00000004h
    mov byte ptr [edi+01h], cl
    and al, 0Fh
    mov byte ptr [edi], al
    dec eax
    lea ecx, dword ptr [edi-04h]
    push eax
    inc ecx
    push edi
    dec eax
    lea eax, dword ptr [edi+04h]
    inc ebp
    xor edi, edi
    inc ecx
    push esi
    inc ecx
    mov esi, 00000001h
    inc ecx
    push ebp
    inc ebp
    xor ebp, ebp
    inc ecx
    push esp
    push ebp
    push ebx
    dec eax
    mov dword ptr [esp-10h], ecx
    dec eax
    mov dword ptr [esp-28h], eax
    mov eax, 00000001h
    dec eax
    mov dword ptr [esp-08h], esi
    dec esp
    mov dword ptr [esp-18h], eax
    mov ebx, eax
    inc esp

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x74054c0x2d4.rsrc
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x7400000x54c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x70a0000x1d970UPX1
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7408200x24.rsrc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x73f7a00x28UPX1
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x73f8180x138UPX1
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    UPX00x10000x5b10000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    UPX10x5b20000x18e0000x18da00e16562df9384095bb180101f1fe24b50False0.9991674198365293data7.999816047600463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x7400000x10000xa00e52edf1f58d5fbc434a4cc9d4fc1090bFalse0.3765625data3.785183192923688IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x7400a40x348dataEnglishUnited States0.430952380952381
    RT_MANIFEST0x7403f00x15aASCII text, with CRLF line terminatorsEnglishUnited States0.5491329479768786

    Imports

    DLLImport
    ADVAPI32.dllLsaClose
    bcrypt.dllBCryptGenRandom
    CRYPT32.dllCertOpenStore
    IPHLPAPI.DLLGetAdaptersAddresses
    KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
    ole32.dllCoInitializeEx
    PSAPI.DLLGetProcessMemoryInfo
    USER32.dllShowWindow
    USERENV.dllGetUserProfileDirectoryW
    WS2_32.dllioctlsocket

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jul 3, 2024 16:34:16.058065891 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:34:16.058113098 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:34:16.058218002 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:34:16.058521986 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:34:16.058540106 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:34:17.313997984 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:34:17.315458059 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:34:17.315504074 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:34:17.316863060 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:34:17.316926003 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:34:17.318360090 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:34:17.318433046 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:34:17.365731001 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:34:17.365776062 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:34:17.412543058 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:34:17.946508884 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:34:17.990669966 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:34:33.237756968 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:34:33.318845987 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:34:49.226887941 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:34:49.318865061 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:35:05.262109995 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:35:05.318872929 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:35:20.564146042 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:35:20.709518909 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:35:36.927649021 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:35:37.022062063 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:35:50.356580019 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:35:50.522085905 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:36:06.404704094 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:36:06.522075891 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:36:21.992578030 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:36:22.209641933 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:36:38.414119005 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:36:38.443687916 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:36:38.522170067 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:36:38.708659887 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:36:38.819055080 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:36:46.675225019 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:36:46.720546961 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:36:46.942184925 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:36:47.006580114 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:36:54.343480110 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:36:54.522145033 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:01.104067087 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:01.104124069 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:01.388058901 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:01.506580114 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:06.428131104 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:06.428173065 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:06.695471048 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:06.819044113 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:10.276175022 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:10.319061995 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:17.597641945 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:17.597678900 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:17.878173113 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:18.022203922 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:24.477818012 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:24.477850914 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:24.746922970 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:24.787329912 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:26.179766893 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:26.319097996 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:32.124905109 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:32.124946117 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:32.391377926 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:32.506675959 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:40.138729095 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:40.138763905 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:40.410029888 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:40.522267103 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:42.663279057 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:42.709713936 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:47.992552996 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:47.992614031 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:48.264600992 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:48.319261074 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:51.935225010 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:51.935262918 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:52.202296972 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:52.319216967 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:57.578712940 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:57.578737020 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:57.854000092 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:58.017585039 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:37:58.397733927 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:37:58.522368908 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:38:04.476588964 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:38:04.476632118 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:38:04.745760918 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:38:04.819262028 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:38:09.521349907 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:38:09.521392107 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:38:09.809356928 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:38:10.022306919 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:38:14.562479019 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:38:14.562819958 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:38:14.562859058 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:38:14.836266994 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:38:15.022357941 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:38:21.824512959 CEST49707443192.168.2.10185.10.68.220
    Jul 3, 2024 16:38:21.824551105 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:38:22.091310978 CEST44349707185.10.68.220192.168.2.10
    Jul 3, 2024 16:38:22.209768057 CEST49707443192.168.2.10185.10.68.220

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jul 3, 2024 16:34:15.956448078 CEST5489253192.168.2.101.1.1.1
    Jul 3, 2024 16:34:16.054034948 CEST53548921.1.1.1192.168.2.10

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Jul 3, 2024 16:34:15.956448078 CEST192.168.2.101.1.1.10x8e5eStandard query (0)eu.minerpool.pwA (IP address)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Jul 3, 2024 16:34:16.054034948 CEST1.1.1.1192.168.2.100x8e5eNo error (0)eu.minerpool.pw91.92.248.9A (IP address)IN (0x0001)false
    Jul 3, 2024 16:34:16.054034948 CEST1.1.1.1192.168.2.100x8e5eNo error (0)eu.minerpool.pw185.10.68.123A (IP address)IN (0x0001)false
    Jul 3, 2024 16:34:16.054034948 CEST1.1.1.1192.168.2.100x8e5eNo error (0)eu.minerpool.pw185.10.68.220A (IP address)IN (0x0001)false

    HTTPS Proxied Packets

    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.2.1049707185.10.68.2204437852C:\Users\user\Desktop\KVAoyRsrZC.exe
    TimestampBytes transferredDirectionData
    2024-07-03 14:34:17 UTC606OUTData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 58 6d 72 69 67 42 65 74 61 32 22 2c 22 70 61 73 73 22 3a 22 22 2c 22 61 67 65 6e 74 22 3a 22 53 65 72 76 69 63 65 73 20 61 6e 64 20 43 6f 6e 74 72 6f 6c 6c 65 72 20 61 70 70 2f 31 30 2e 30 2e 31 37 31 33 34 2e 31 20 28 57 69 6e 42 75 69 6c 64 2e 31 36 30 31 30 31 2e 30 38 30 30 29 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 31 39 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c
    Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"XmrigBeta2","pass":"","agent":"Services and Controller app/10.0.17134.1 (WinBuild.160101.0800) (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/1","cn/2","cn/r","cn/fast","cn/hal
    2024-07-03 14:34:17 UTC743INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 31 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 64 66 61 31 31 62 34 37 36 39 61 63 63 30 64 34 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 34 31 34 65 38 63 32 39 35 62 34 30 36 31 36 36 35 33 66 31 31 30 32 33 30 37 30 36 35 31 62 33 39 64 35 66 66 35 37 33 33 39 38 35 38 35 36 39 66 66 37 32 31 38 34 61 63 61 30 33 38 61 36 65 38 64 34 32 34 63 32 35 62 36 66 62 37 30 30 30 30 30 30 31 33 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
    Data Ascii: {"jsonrpc":"2.0","id":1,"error":null,"result":{"id":"dfa11b4769acc0d4","job":{"blob":"1414e8c295b40616653f11023070651b39d5ff57339858569ff72184aca038a6e8d424c25b6fb70000001300000000000000000000000000000000000000000000000000000000000000000000000000000000000
    2024-07-03 14:34:33 UTC630INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 34 31 34 66 38 63 32 39 35 62 34 30 36 31 36 36 35 33 66 31 31 30 32 33 30 37 30 36 35 31 62 33 39 64 35 66 66 35 37 33 33 39 38 35 38 35 36 39 66 66 37 32 31 38 34 61 63 61 30 33 38 61 36 65 38 64 34 32 34 63 32 35 62 36 66 62 37 30 30 30 30 30 30 31 33 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
    Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1414f8c295b40616653f11023070651b39d5ff57339858569ff72184aca038a6e8d424c25b6fb70000001300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    2024-07-03 14:34:49 UTC630INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 34 31 34 38 38 63 33 39 35 62 34 30 36 31 36 36 35 33 66 31 31 30 32 33 30 37 30 36 35 31 62 33 39 64 35 66 66 35 37 33 33 39 38 35 38 35 36 39 66 66 37 32 31 38 34 61 63 61 30 33 38 61 36 65 38 64 34 32 34 63 32 35 62 36 66 62 37 30 30 30 30 30 30 31 33 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
    Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"141488c395b40616653f11023070651b39d5ff57339858569ff72184aca038a6e8d424c25b6fb70000001300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    2024-07-03 14:35:05 UTC630INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 34 31 34 39 38 63 33 39 35 62 34 30 36 31 36 36 35 33 66 31 31 30 32 33 30 37 30 36 35 31 62 33 39 64 35 66 66 35 37 33 33 39 38 35 38 35 36 39 66 66 37 32 31 38 34 61 63 61 30 33 38 61 36 65 38 64 34 32 34 63 32 35 62 36 66 62 37 30 30 30 30 30 30 31 33 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
    Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"141498c395b40616653f11023070651b39d5ff57339858569ff72184aca038a6e8d424c25b6fb70000001300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    2024-07-03 14:35:20 UTC630INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 34 31 34 61 38 63 33 39 35 62 34 30 36 31 36 36 35 33 66 31 31 30 32 33 30 37 30 36 35 31 62 33 39 64 35 66 66 35 37 33 33 39 38 35 38 35 36 39 66 66 37 32 31 38 34 61 63 61 30 33 38 61 36 65 38 64 34 32 34 63 32 35 62 36 66 62 37 30 30 30 30 30 30 31 33 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
    Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1414a8c395b40616653f11023070651b39d5ff57339858569ff72184aca038a6e8d424c25b6fb70000001300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    2024-07-03 14:35:36 UTC630INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 34 31 34 62 38 63 33 39 35 62 34 30 36 31 36 36 35 33 66 31 31 30 32 33 30 37 30 36 35 31 62 33 39 64 35 66 66 35 37 33 33 39 38 35 38 35 36 39 66 66 37 32 31 38 34 61 63 61 30 33 38 61 36 65 38 64 34 32 34 63 32 35 62 36 66 62 37 30 30 30 30 30 30 31 33 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
    Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1414b8c395b40616653f11023070651b39d5ff57339858569ff72184aca038a6e8d424c25b6fb70000001300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    2024-07-03 14:35:50 UTC630INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 34 31 34 63 35 63 33 39 35 62 34 30 36 38 38 63 33 62 34 63 36 65 36 37 61 38 66 34 65 64 61 38 38 64 33 31 36 65 39 31 36 33 38 31 36 33 34 31 39 62 65 32 32 36 63 32 64 39 37 39 39 33 35 66 37 34 62 63 30 34 63 36 63 66 33 39 39 30 30 30 30 30 30 31 33 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
    Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1414c5c395b40688c3b4c6e67a8f4eda88d316e91638163419be226c2d979935f74bc04c6cf3990000001300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    2024-07-03 14:36:06 UTC630INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 34 31 34 64 35 63 33 39 35 62 34 30 36 38 38 63 33 62 34 63 36 65 36 37 61 38 66 34 65 64 61 38 38 64 33 31 36 65 39 31 36 33 38 31 36 33 34 31 39 62 65 32 32 36 63 32 64 39 37 39 39 33 35 66 37 34 62 63 30 34 63 36 63 66 33 39 39 30 30 30 30 30 30 31 33 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
    Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1414d5c395b40688c3b4c6e67a8f4eda88d316e91638163419be226c2d979935f74bc04c6cf3990000001300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    2024-07-03 14:36:21 UTC630INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 34 31 34 65 35 63 33 39 35 62 34 30 36 38 38 63 33 62 34 63 36 65 36 37 61 38 66 34 65 64 61 38 38 64 33 31 36 65 39 31 36 33 38 31 36 33 34 31 39 62 65 32 32 36 63 32 64 39 37 39 39 33 35 66 37 34 62 63 30 34 63 36 63 66 33 39 39 30 30 30 30 30 30 31 33 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
    Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1414e5c395b40688c3b4c6e67a8f4eda88d316e91638163419be226c2d979935f74bc04c6cf3990000001300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000


    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:10:34:14
    Start date:03/07/2024
    Path:C:\Users\user\Desktop\KVAoyRsrZC.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\Desktop\KVAoyRsrZC.exe"
    Imagebase:0x7ff635770000
    File size:1'631'744 bytes
    MD5 hash:7584A2CB74C2018E63E3D0ECA65D8C61
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    General

    Target ID:2
    Start time:10:34:15
    Start date:03/07/2024
    Path:C:\Windows\System32\svchost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
    Imagebase:0x7ff7df220000
    File size:55'320 bytes
    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:3
    Start time:10:34:16
    Start date:03/07/2024
    Path:C:\Windows\System32\Sgrmuserer.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\Sgrmuserer.exe
    Imagebase:0x7ff650e60000
    File size:329'504 bytes
    MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:4
    Start time:10:34:16
    Start date:03/07/2024
    Path:C:\Windows\System32\svchost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
    Imagebase:0x7ff7df220000
    File size:55'320 bytes
    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:5
    Start time:10:34:16
    Start date:03/07/2024
    Path:C:\Windows\System32\svchost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
    Imagebase:0x7ff7df220000
    File size:55'320 bytes
    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:6
    Start time:10:34:16
    Start date:03/07/2024
    Path:C:\Windows\System32\svchost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
    Imagebase:0x7ff7df220000
    File size:55'320 bytes
    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:7
    Start time:10:34:16
    Start date:03/07/2024
    Path:C:\Windows\System32\svchost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
    Imagebase:0x7ff7df220000
    File size:55'320 bytes
    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:9
    Start time:10:35:02
    Start date:03/07/2024
    Path:C:\Windows\System32\svchost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
    Imagebase:0x7ff7df220000
    File size:55'320 bytes
    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:10
    Start time:10:35:17
    Start date:03/07/2024
    Path:C:\Program Files\Windows Defender\MpCmdRun.exe
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
    Imagebase:0x7ff7b1140000
    File size:468'120 bytes
    MD5 hash:B3676839B2EE96983F9ED735CD044159
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:11
    Start time:10:35:17
    Start date:03/07/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff620390000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    No disassembly