Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1548107
MD5:	8e487fecb6d9126067b432788db011de
SHA1:	78c25b2bd8ba6eb1781e5634484d2b425e9c6367
SHA256:	235c665b25c1e78fed3ca96e57c374e5a416aad1d27b4ae436a1c6c58604268b
Tags:	exeuser-Bitsight
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

DNS related to crypt mining pools

Detected Stratum mining protocol

Drops PE files to the document folder of the user

Found strings related to Crypto-Mining

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample is not signed and drops a device driver

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8E487FECB6D9126067B432788DB011DE)

OmegaEngine.exe (PID: 7328 cmdline: "C:\Users\user\Documents\System\OmegaEngine.exe" -B --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero -o xmr-eu2.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero MD5: 2C5F8843F514824FC636F451FC6A18B4)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Documents\System\config.json	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\Documents\System\file.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\Documents\System\OmegaEngine.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\Documents\System\OmegaEngine.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x58436e:$x1: donate.ssl.xmrig.com 0x584671:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x57c4bd:$s1: [%s] login error code: %d 0x5ef22e:$s2: \\?\pipe\uv\%p-%lu
C:\Users\user\Documents\System\OmegaEngine.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x5847ae:$s1: %s/%s (Windows NT %lu.%lu 0x57c385:$s4: pool_wallet 0x5874fc:$s5: cryptonight 0x58750f:$s5: cryptonight 0x58751e:$s5: cryptonight 0x587531:$s5: cryptonight 0x587546:$s5: cryptonight 0x587555:$s5: cryptonight 0x587568:$s5: cryptonight 0x58757d:$s5: cryptonight 0x58758c:$s5: cryptonight 0x58759f:$s5: cryptonight 0x5875ad:$s5: cryptonight 0x5875c6:$s5: cryptonight 0x5875dd:$s5: cryptonight 0x5875f6:$s5: cryptonight 0x58760d:$s5: cryptonight 0x58761f:$s5: cryptonight 0x587636:$s5: cryptonight 0x58764d:$s5: cryptonight 0x587664:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.1674044823.0000000001380000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000001.00000000.1673266474.0000000000B5D000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000001.00000002.2921445649.0000000000B5D000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.2924658100.00000269F2540000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000001.00000002.2921686248.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000001.00000002.2921574199.0000000001370000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000001.00000002.2921548271.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000001.00000002.2921686248.00000000014BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000001.00000002.2921501059.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000001.00000002.2921501059.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.2924658100.00000269F254F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000001.00000002.2921328117.000000000097A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000001.00000000.1672963896.000000000097A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000000.1663438735.00000269F0202000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.2921012977.0000026980001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: file.exe PID: 7268	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: OmegaEngine.exe PID: 7328	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.file.exe.269f0200000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
1.2.OmegaEngine.exe.400000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
1.2.OmegaEngine.exe.400000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x58436e:$x1: donate.ssl.xmrig.com 0x584671:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x57c4bd:$s1: [%s] login error code: %d 0x5ef22e:$s2: \\?\pipe\uv\%p-%lu
1.2.OmegaEngine.exe.400000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x5847ae:$s1: %s/%s (Windows NT %lu.%lu 0x57c385:$s4: pool_wallet 0x5874fc:$s5: cryptonight 0x58750f:$s5: cryptonight 0x58751e:$s5: cryptonight 0x587531:$s5: cryptonight 0x587546:$s5: cryptonight 0x587555:$s5: cryptonight 0x587568:$s5: cryptonight 0x58757d:$s5: cryptonight 0x58758c:$s5: cryptonight 0x58759f:$s5: cryptonight 0x5875ad:$s5: cryptonight 0x5875c6:$s5: cryptonight 0x5875dd:$s5: cryptonight 0x5875f6:$s5: cryptonight 0x58760d:$s5: cryptonight 0x58761f:$s5: cryptonight 0x587636:$s5: cryptonight 0x58764d:$s5: cryptonight 0x587664:$s5: cryptonight
1.0.OmegaEngine.exe.400000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
1.0.OmegaEngine.exe.400000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x58436e:$x1: donate.ssl.xmrig.com 0x584671:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x57c4bd:$s1: [%s] login error code: %d 0x5ef22e:$s2: \\?\pipe\uv\%p-%lu
1.0.OmegaEngine.exe.400000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x5847ae:$s1: %s/%s (Windows NT %lu.%lu 0x57c385:$s4: pool_wallet 0x5874fc:$s5: cryptonight 0x58750f:$s5: cryptonight 0x58751e:$s5: cryptonight 0x587531:$s5: cryptonight 0x587546:$s5: cryptonight 0x587555:$s5: cryptonight 0x587568:$s5: cryptonight 0x58757d:$s5: cryptonight 0x58758c:$s5: cryptonight 0x58759f:$s5: cryptonight 0x5875ad:$s5: cryptonight 0x5875c6:$s5: cryptonight 0x5875dd:$s5: cryptonight 0x5875f6:$s5: cryptonight 0x58760d:$s5: cryptonight 0x58761f:$s5: cryptonight 0x587636:$s5: cryptonight 0x58764d:$s5: cryptonight 0x587664:$s5: cryptonight
Click to see the 2 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-03T22:36:17.402087+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49733	TCP
2024-11-03T22:36:56.888569+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.4	49748	TCP

ETPRO COINMINER XMR CoinMiner Usage

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-03T22:35:59.175889+0100	2826930	2	Crypto Currency Mining Activity Detected	192.168.2.4	49804	51.15.65.182	10343	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Documents\System\OmegaEngine.exe	ReversingLabs: Detection: 74%
Source: C:\Users\user\Documents\System\file.exe	ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 83.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Documents\System\OmegaEngine.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\System\file.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.0.file.exe.269f0200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OmegaEngine.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.OmegaEngine.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1674044823.0000000001380000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1673266474.0000000000B5D000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2921445649.0000000000B5D000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2924658100.00000269F2540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2921686248.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2921574199.0000000001370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2921548271.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2921686248.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2921501059.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2921501059.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2924658100.00000269F254F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2921328117.000000000097A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1672963896.000000000097A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1663438735.00000269F0202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2921012977.0000026980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OmegaEngine.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Documents\System\config.json, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\System\file.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\System\OmegaEngine.exe, type: DROPPED

DNS related to crypt mining pools

Source: unknown	DNS query: name: xmr-eu1.nanopool.org
Source: unknown	DNS query: name: xmr-eu2.nanopool.org

Detected Stratum mining protocol

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 54.37.137.114:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 51.15.193.130:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49732 -> 51.15.65.182:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 51.89.23.91:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 212.47.253.124:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 51.195.43.17:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 54.37.232.103:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49743 -> 51.195.43.17:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 51.89.23.91:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 51.15.61.114:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 51.15.58.224:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 51.15.89.13:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49749 -> 212.47.253.124:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49751 -> 51.195.43.17:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49772 -> 54.37.232.103:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49778 -> 51.15.61.114:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49804 -> 51.15.65.182:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49810 -> 51.195.43.17:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49836 -> 51.15.193.130:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49842 -> 51.195.43.17:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49867 -> 54.37.232.103:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49873 -> 51.195.43.17:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49898 -> 141.94.23.83:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49901 -> 51.68.137.186:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49927 -> 163.172.154.142:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49932 -> 51.15.61.114:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49958 -> 141.94.23.83:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49963 -> 51.195.43.17:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49989 -> 146.59.154.106:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49994 -> 51.195.138.197:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:50020 -> 51.15.193.130:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:50025 -> 51.15.89.13:10343 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b","pass":"x","agent":"xmrig/5.5.0 (windows nt 10.0) libuv/1.15.0 gcc/7.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.

Found strings related to Crypto-Mining

Source: OmegaEngine.exe	String found in binary or memory: stratum+ssl://
Source: OmegaEngine.exe, 00000001.00000002.2921328117.000000000097A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: cryptonight/0
Source: OmegaEngine.exe	String found in binary or memory: stratum+tcp://
Source: OmegaEngine.exe	String found in binary or memory: -o, --url=URL URL of mining server
Source: OmegaEngine.exe	String found in binary or memory: Usage: xmrig [OPTIONS] Network:
Source: file.exe, 00000000.00000002.2924658100.00000269F254F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: XMRig mi

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: file.exe, file.exe.0.dr, WinRing0x64.sys.0.dr
Source:	Binary string: C:\Users\Virtual\Desktop\Biz\RogueMarket\Products\Rogue Miner V2\Review Backup\Er minator\obj\Release\OmegaMiner.pdb source: file.exe, file.exe.0.dr

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 54.37.137.114:10343
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 51.15.193.130:10343
Source: global traffic	TCP traffic: 192.168.2.4:49732 -> 51.15.65.182:10343
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 51.89.23.91:10343
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 212.47.253.124:10343
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 51.195.43.17:10343
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 54.37.232.103:10343
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 51.15.61.114:10343
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 51.15.58.224:10343
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 51.15.89.13:10343
Source: global traffic	TCP traffic: 192.168.2.4:49898 -> 141.94.23.83:10343
Source: global traffic	TCP traffic: 192.168.2.4:49901 -> 51.68.137.186:10343
Source: global traffic	TCP traffic: 192.168.2.4:49927 -> 163.172.154.142:10343
Source: global traffic	TCP traffic: 192.168.2.4:49989 -> 146.59.154.106:10343
Source: global traffic	TCP traffic: 192.168.2.4:49994 -> 51.195.138.197:10343

Source: Joe Sandbox View	IP Address: 51.15.65.182 51.15.65.182
Source: Joe Sandbox View	IP Address: 51.195.138.197 51.195.138.197
Source: Joe Sandbox View	IP Address: 163.172.154.142 163.172.154.142

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR

Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49804 -> 51.15.65.182:10343
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49748

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: xmr-eu1.nanopool.org
Source: global traffic	DNS traffic detected: DNS query: xmr-eu2.nanopool.org

Source: file.exe, file.exe.0.dr, WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: file.exe, file.exe.0.dr, WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: file.exe, file.exe.0.dr, WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: file.exe, file.exe.0.dr, WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: OmegaEngine.exe.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: OmegaEngine.exe, OmegaEngine.exe, 00000001.00000002.2921328117.000000000097A000.00000002.00000001.01000000.00000006.sdmp, OmegaEngine.exe.0.dr	String found in binary or memory: https://xmrig.com/docs/algorithms

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.OmegaEngine.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 1.2.OmegaEngine.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 1.0.OmegaEngine.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 1.0.OmegaEngine.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Users\user\Documents\System\OmegaEngine.exe, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\user\Documents\System\OmegaEngine.exe, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Documents\System\WinRing0x64.sys

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FFD9BAC0A69

0_2_00007FFD9BAC0A69

Source: Joe Sandbox View

Dropped File: C:\Users\user\Documents\System\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: file.exe, 00000000.00000000.1663438735.00000269F0202000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWinRing0.sys2 vs file.exe
Source: file.exe, 00000000.00000000.1663438735.00000269F0202000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOmegaMiner.exe6 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameWinRing0.sys2 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameOmegaMiner.exe6 vs file.exe
Source: file.exe.0.dr	Binary or memory string: OriginalFilenameWinRing0.sys2 vs file.exe
Source: file.exe.0.dr	Binary or memory string: OriginalFilenameOmegaMiner.exe6 vs file.exe

Source: 1.2.OmegaEngine.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 1.2.OmegaEngine.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 1.0.OmegaEngine.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 1.0.OmegaEngine.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: C:\Users\user\Documents\System\OmegaEngine.exe, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\user\Documents\System\OmegaEngine.exe, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: WinRing0x64.sys.0.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.mine.winEXE@4/5@2/15

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Documents\System

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 52%

Source: OmegaEngine.exe	String found in binary or memory: -h, --help display this help and exit
Source: OmegaEngine.exe	String found in binary or memory: -h, --help display this help and exit
Source: OmegaEngine.exe	String found in binary or memory: --help
Source: OmegaEngine.exe	String found in binary or memory: --help

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Documents\System\OmegaEngine.exe "C:\Users\user\Documents\System\OmegaEngine.exe" -B --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero -o xmr-eu2.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Documents\System\OmegaEngine.exe "C:\Users\user\Documents\System\OmegaEngine.exe" -B --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero -o xmr-eu2.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 7277568 > 1048576

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6db400

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: file.exe, file.exe.0.dr, WinRing0x64.sys.0.dr
Source:	Binary string: C:\Users\Virtual\Desktop\Biz\RogueMarket\Products\Rogue Miner V2\Review Backup\Er minator\obj\Release\OmegaMiner.pdb source: file.exe, file.exe.0.dr

Source: file.exe

Static PE information: 0xF500D2FC [Sat Apr 3 21:45:32 2100 UTC]

Source: OmegaEngine.exe.0.dr

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FFD9BAC00BD pushad ; iretd

0_2_00007FFD9BAC00C1

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Documents\System\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Documents\System\file.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Documents\System\OmegaEngine.exe	Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Documents\System\WinRing0x64.sys

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Documents\System\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Documents\System\file.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Documents\System\OmegaEngine.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\System\OmegaEngine.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 269F0C30000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 269F26E0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 2330			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 7297			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Dropped PE file which has not been started: C:\Users\user\Documents\System\WinRing0x64.sys

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe TID: 7272	Thread sleep count: 2330 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7272	Thread sleep time: -1165000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7272	Thread sleep count: 7297 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7272	Thread sleep time: -3648500s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: OmegaEngine.exe, 00000001.00000002.2921501059.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: OmegaEngine.exe, 00000001.00000002.2921501059.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\user\Documents\System\OmegaEngine.exe "C:\Users\user\Documents\System\OmegaEngine.exe" -B --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero -o xmr-eu2.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Documents\System\OmegaEngine.exe "c:\users\user\documents\system\omegaengine.exe" -b --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b -k --coin monero -o xmr-eu2.nanopool.org:10343 -u 85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b -k --coin monero
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Documents\System\OmegaEngine.exe "c:\users\user\documents\system\omegaengine.exe" -b --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b -k --coin monero -o xmr-eu2.nanopool.org:10343 -u 85sayjhvdatlk8tmfyeqyg3ax3gnpkzbcwnyz4nkutvbjtumdf9gqen24dtx8c8qf9c6jkqvwzvlabeubs7b8rjn9413x5b -k --coin monero			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Documents\System\OmegaEngine.exe

Code function: 1_2_00757C00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_00757C00

Source: C:\Users\user\Desktop\file.exe

Directory queried: C:\Users\user\Documents\System

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Documents\System\OmegaEngine.exe	100%	Joe Sandbox ML
C:\Users\user\Documents\System\file.exe	100%	Joe Sandbox ML
C:\Users\user\Documents\System\OmegaEngine.exe	74%	ReversingLabs	Win32.Trojan.Convagent
C:\Users\user\Documents\System\WinRing0x64.sys	5%	ReversingLabs
C:\Users\user\Documents\System\file.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Source	Detection	Scanner	Label	Link
https://gcc.gnu.org/bugs/):	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xmr-eu1.nanopool.org	163.172.154.142	true	true		unknown
xmr-eu2.nanopool.org	51.15.61.114	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://gcc.gnu.org/bugs/):	OmegaEngine.exe.0.dr	false	URL Reputation: safe	unknown
https://xmrig.com/docs/algorithms	OmegaEngine.exe, OmegaEngine.exe, 00000001.00000002.2921328117.000000000097A000.00000002.00000001.01000000.00000006.sdmp, OmegaEngine.exe.0.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
51.68.137.186	unknown	France	16276	OVHFR	true
51.15.65.182	unknown	France	12876	OnlineSASFR	true
51.195.138.197	unknown	France	16276	OVHFR	true
163.172.154.142	xmr-eu1.nanopool.org	United Kingdom	12876	OnlineSASFR	true
54.37.137.114	unknown	France	16276	OVHFR	true
51.15.58.224	unknown	France	12876	OnlineSASFR	true
51.15.193.130	unknown	France	12876	OnlineSASFR	true
51.15.89.13	unknown	France	12876	OnlineSASFR	true
54.37.232.103	unknown	France	16276	OVHFR	true
212.47.253.124	unknown	France	12876	OnlineSASFR	true
146.59.154.106	unknown	Norway	16276	OVHFR	true
141.94.23.83	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true
51.89.23.91	unknown	France	16276	OVHFR	true
51.15.61.114	xmr-eu2.nanopool.org	France	12876	OnlineSASFR	true
51.195.43.17	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1548107
Start date and time:	2024-11-03 22:35:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.mine.winEXE@4/5@2/15
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target OmegaEngine.exe, PID 7328 because there are no executed function
Execution Graph export aborted for target file.exe, PID 7268 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:36:30	API Interceptor	9511x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
51.68.137.186	E5r67vtBtc6.exe	Get hash	malicious	Xmrig	Browse
	Miner-XMR2.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, Xmrig	Browse
51.15.65.182	WWhhc3A0rs.exe	Get hash	malicious	Xmrig	Browse
	S0FTWARE.exe	Get hash	malicious	Go Injector, Vidar, Xmrig	Browse
	yLfAxBEcuo.exe	Get hash	malicious	Cryptbot, Vidar, Xmrig	Browse
	setup.exe	Get hash	malicious	Xmrig	Browse
	Loader.exe	Get hash	malicious	LummaC, Xmrig	Browse
	2mim34IfQZ.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, Xmrig, zgRAT	Browse
	gq83mrprwy.exe	Get hash	malicious	Xmrig	Browse
	1DI50gCNGQ.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
51.195.138.197	ICBM.exe	Get hash	malicious	Xmrig	Browse
	E5r67vtBtc6.exe	Get hash	malicious	Xmrig	Browse
	Miner-XMR2.exe	Get hash	malicious	Xmrig	Browse
	25C1.exe	Get hash	malicious	Glupteba, Xmrig	Browse
	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Stealc, Vidar, Xmrig	Browse
163.172.154.142	file.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Trojan.Siggen29.50366.26295.18671.exe	Get hash	malicious	Xmrig	Browse
	BWP2uPDDxw.exe	Get hash	malicious	Xmrig	Browse
	BkkZPdT1uc.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win64.RATX-gen.29355.29242.exe	Get hash	malicious	AsyncRAT, Nbminer, Xmrig	Browse
	huUaO72kiE.exe	Get hash	malicious	Xmrig, zgRAT	Browse
	Xy6yvvPtyc.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, Fabookie, SmokeLoader, Xmrig	Browse
	sB5W4YtR18.exe	Get hash	malicious	Phonk Miner, Xmrig	Browse
54.37.137.114	SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Get hash	malicious	Xmrig	Browse
54.37.137.114	ft1i6jvAdD.exe	Get hash	malicious	Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xmr-eu2.nanopool.org	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.15.61.114
	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.68.137.186
	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.68.137.186
	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.195.138.197
	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.195.43.17
	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.210.150.92
	file.exe	Get hash	malicious	Xmrig	Browse	163.172.171.111
	E5r67vtBtc6.exe	Get hash	malicious	Xmrig	Browse	163.172.171.111
	Miner-XMR2.exe	Get hash	malicious	Xmrig	Browse	51.195.43.17
	25C1.exe	Get hash	malicious	Glupteba, Xmrig	Browse	51.68.137.186
xmr-eu1.nanopool.org	HmA7s2gaa5.exe	Get hash	malicious	Xmrig	Browse	162.19.224.121
	12Jh49DCAj.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	Ky4J8k89A7.exe	Get hash	malicious	Stealc, Vidar, Xmrig	Browse	51.15.58.224
	boooba.exe	Get hash	malicious	Xmrig	Browse	51.15.58.224
	2HUgVjrn3O.exe	Get hash	malicious	Xmrig	Browse	51.15.58.224
	SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Get hash	malicious	Xmrig	Browse	141.94.23.83
	Yf4yviDxwF.exe	Get hash	malicious	Xmrig	Browse	54.37.232.103
	file.exe	Get hash	malicious	Xmrig	Browse	54.37.137.114
	Q3Vq6yp33F.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	2JkHiPgkLE.exe	Get hash	malicious	Xmrig	Browse	51.15.58.224

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	sora.m68k.elf	Get hash	malicious	Mirai	Browse	54.39.196.186
	g49e742700.exe	Get hash	malicious	Emotet	Browse	178.33.167.120
	Payload 94.75 (3).225.exe	Get hash	malicious	Unknown	Browse	94.23.172.32
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	139.99.170.35
	Payload 94.75 (4).225.exe	Get hash	malicious	Kronos, Strela Stealer	Browse	158.69.205.247
	Payload 94.75 (3).225.exe	Get hash	malicious	Unknown	Browse	54.36.209.254
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	144.217.4.166
	Payload 94.75.225.exe	Get hash	malicious	Unknown	Browse	51.81.56.136
	4GPlus.bat	Get hash	malicious	Unknown	Browse	51.195.251.11
	Reservation Detail Booking.com ID4336.vbs	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	94.23.17.185
OnlineSASFR	Payload 94.75 (4).225.exe	Get hash	malicious	Kronos, Strela Stealer	Browse	51.15.96.2
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	51.159.195.41
	A4mmSHCUi2.exe	Get hash	malicious	FormBook	Browse	195.154.200.15
	HmA7s2gaa5.exe	Get hash	malicious	Xmrig	Browse	51.15.193.130
	Pt7TlAjQtn.exe	Get hash	malicious	AveMaria, WhiteSnake Stealer	Browse	195.154.241.145
	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.15.89.13
	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.15.89.13
	boooba.exe	Get hash	malicious	Xmrig	Browse	212.47.253.124
	belks.sh4.elf	Get hash	malicious	Mirai	Browse	62.210.152.252
	Yf4yviDxwF.exe	Get hash	malicious	Xmrig	Browse	51.15.193.130
OVHFR	sora.m68k.elf	Get hash	malicious	Mirai	Browse	54.39.196.186
	g49e742700.exe	Get hash	malicious	Emotet	Browse	178.33.167.120
	Payload 94.75 (3).225.exe	Get hash	malicious	Unknown	Browse	94.23.172.32
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	139.99.170.35
	Payload 94.75 (4).225.exe	Get hash	malicious	Kronos, Strela Stealer	Browse	158.69.205.247
	Payload 94.75 (3).225.exe	Get hash	malicious	Unknown	Browse	54.36.209.254
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	144.217.4.166
	Payload 94.75.225.exe	Get hash	malicious	Unknown	Browse	51.81.56.136
	4GPlus.bat	Get hash	malicious	Unknown	Browse	51.195.251.11
	Reservation Detail Booking.com ID4336.vbs	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	94.23.17.185
OnlineSASFR	Payload 94.75 (4).225.exe	Get hash	malicious	Kronos, Strela Stealer	Browse	51.15.96.2
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	51.159.195.41
	A4mmSHCUi2.exe	Get hash	malicious	FormBook	Browse	195.154.200.15
	HmA7s2gaa5.exe	Get hash	malicious	Xmrig	Browse	51.15.193.130
	Pt7TlAjQtn.exe	Get hash	malicious	AveMaria, WhiteSnake Stealer	Browse	195.154.241.145
	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.15.89.13
	ICBM.exe	Get hash	malicious	Xmrig	Browse	51.15.89.13
	boooba.exe	Get hash	malicious	Xmrig	Browse	212.47.253.124
	belks.sh4.elf	Get hash	malicious	Mirai	Browse	62.210.152.252
	Yf4yviDxwF.exe	Get hash	malicious	Xmrig	Browse	51.15.193.130

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Documents\System\WinRing0x64.sys	ICBM.exe	Get hash	malicious	Xmrig	Browse
	ICBM.exe	Get hash	malicious	Xmrig	Browse
	ICBM.exe	Get hash	malicious	Xmrig	Browse
	ICBM.exe	Get hash	malicious	Xmrig	Browse
	HmA7s2gaa5.exe	Get hash	malicious	Xmrig	Browse
	SaxP2rle4l.exe	Get hash	malicious	Xmrig	Browse
	6YbG0llASL.exe	Get hash	malicious	Xmrig	Browse
	2Y2u9r3RUs.exe	Get hash	malicious	Xmrig	Browse
	xeqHTJ1ihs.exe	Get hash	malicious	Xmrig	Browse
	fUIlRR9LxG.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\Users\user\Documents\System\OmegaEngine.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	7162880
Entropy (8bit):	6.44050646793195
Encrypted:	false
SSDEEP:	196608:HCXYEhEswp8HD1XF2XTnTuTmVpDce4EQ/H5Tc05tI8lCt30fWsaVb:2JwCMcwQ/IV39b
MD5:	2C5F8843F514824FC636F451FC6A18B4
SHA1:	A1C5490EFEA431FA3F54562D0D19D4F6826C562A
SHA-256:	363841B14E9048FD50A012F2A3E04C3F86312FBCD3C1F4A837A102FE7E258CA7
SHA-512:	B51CF66C2604E4E9ED363933CFB2ACAD7E1591036B1F8339333AA6D74625B680A952078DCDBD231204E06572D9CA24855D19138DD77EAABC673AB148B89BE717
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\Documents\System\OmegaEngine.exe, Author: Joe Security Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\Documents\System\OmegaEngine.exe, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\Documents\System\OmegaEngine.exe, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^........../.......S..<m...............T...@..........................0v.......m....... ...............................u../....u..\....................................................u.......................u..............................text.....S.......S.................`..`.data.........T.......T.............@.`..rdata..4a....W..b....W.............@.`@.eh_fram......a.......`.............@.0@.bss..........l.......................p..idata.../....u..0....l.............@.0..CRT....8.....u.......l.............@.0..tls.... .....u.......l.............@.0..rsrc....\....u..\....l.............@.0.........................................................................................................................................................................................................................................................................

C:\Users\user\Documents\System\WinRing0x64.sys

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: ICBM.exe, Detection: malicious, Browse Filename: ICBM.exe, Detection: malicious, Browse Filename: ICBM.exe, Detection: malicious, Browse Filename: ICBM.exe, Detection: malicious, Browse Filename: HmA7s2gaa5.exe, Detection: malicious, Browse Filename: SaxP2rle4l.exe, Detection: malicious, Browse Filename: 6YbG0llASL.exe, Detection: malicious, Browse Filename: 2Y2u9r3RUs.exe, Detection: malicious, Browse Filename: xeqHTJ1ihs.exe, Detection: malicious, Browse Filename: fUIlRR9LxG.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\System\config.json

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2293
Entropy (8bit):	3.8248326943422386
Encrypted:	false
SSDEEP:	48:CtWTHcW08bqUZylCfby+F1IfF0lFGRdyCSPCoECyo12udQK9Q:CtWTvZy+F1IfF0lFGRdyCmCZCN2u39Q
MD5:	EFE186D3302FE8B6F6C751610DC424D6
SHA1:	0B75736C95ACAB29A0D8CBF7EDBEF454F3529EE5
SHA-256:	90D678F599884EB4EE0F2A12DC297AD02521D58CB1020708185CA92C83DCD00F
SHA-512:	FF7A707B1C01FDBCF184E612BA59E4DBA7B2499D95ADF268A862787C6C29D7DB32D9831E0579DA054F190A09B6B54B69E28D503353996BD3C43E3B623F4498A9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\Documents\System\config.json, Author: Joe Security
Reputation:	low
Preview:	{. "api": {. "id": null,. "worker-id": null. },. "http": {. "enabled": false,. "host": "127.0.0.1",. "port": 0,. "access-token": null,. "restricted": true. },. "autosave": true,. "background": false,. "colors": true,. "randomx": {. "init": -1,. "mode": "auto",. "1gb-pages": false,. "rdmsr": true,. "wrmsr": true,. "numa": true. },. "cpu": {. "enabled": true,. "huge-pages": true,. "hw-aes": null,. "priority": null,. "memory-pool": false,. "yield": true,. "asm": true,. "argon2-impl": null,. "argon2": [0, 1, 2, 3],. "cn": [. [1, 0],. [1, 1],. [1, 2],. [1, 3]. ],. "cn-heavy": [. [1, 0],. [1, 2]. ],. "cn-lite": [. [1, 0],. [1, 1],. [1, 2],. [1, 3]. ],. "c

C:\Users\user\Documents\System\file.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7277568
Entropy (8bit):	6.475803918016148
Encrypted:	false
SSDEEP:	98304:/vUOUlzvyfQprVfSHy9fierzHjhlTkil3IVcWvy:/vUO6vRvSy1Ll3WJ
MD5:	8E487FECB6D9126067B432788DB011DE
SHA1:	78C25B2BD8BA6EB1781E5634484D2B425E9C6367
SHA-256:	235C665B25C1E78FED3CA96E57C374E5A416AAD1D27B4AE436A1C6C58604268B
SHA-512:	1EF29D3D1CE3816E7DAAC5C876570E4290FD259F2FA1C14E2B3F9E881F65A13F1C788B9C0D4DF3D149A4E79584020819902FD605F025392887141EA7BACECA69
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\Documents\System\file.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0...m..V......J.m.. ....m...@.. .......................`o...........`...................................m.O.....m..S...................@o.....0.m.8............................................ ............... ..H............text...P.m.. ....m................. ..`.rsrc....S....m..T....m.............@..@.reloc.......@o.......o.............@..B................).m.....H........'..............PD....m...........................................(......}.....(....}......{....o....}......{....o....}.....0..?........{....o.....{....(.......(......{....o.....{....(.......(....(....l[#......Y@Z.[..#........3..(......l6n.{....-f.{....o....o.....+-.o....t..........o.....(....%(....(....(....&.o....-....u........,...o.......}......l4b.{....,Z.{....o....o.....+".o....t..........o.....(....(....&.o....-....u........,...o.......}.............9.......

C:\Users\user\Documents\System\file.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.475803918016148
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	7'277'568 bytes
MD5:	8e487fecb6d9126067b432788db011de
SHA1:	78c25b2bd8ba6eb1781e5634484d2b425e9c6367
SHA256:	235c665b25c1e78fed3ca96e57c374e5a416aad1d27b4ae436a1c6c58604268b
SHA512:	1ef29d3d1ce3816e7daac5c876570e4290fd259f2fa1c14e2b3f9e881f65a13f1c788b9c0d4df3d149a4e79584020819902fd605f025392887141ea7baceca69
SSDEEP:	98304:/vUOUlzvyfQprVfSHy9fierzHjhlTkil3IVcWvy:/vUO6vRvSy1Ll3WJ
TLSH:	28764B01A53A39C8F419E57695E4F8B36D3EBC51C0CFC0ECA0827606E9B99A52FF4176
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0...m..V......J.m.. ....m...@.. .......................`o...........`................................

File Icon


Icon Hash:	0f3b715254693b0f

Static PE Info

General

Entrypoint:	0xadd34a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF500D2FC [Sat Apr 3 21:45:32 2100 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6dd2f5	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6de000	0x153c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6f4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6dd230	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6db350	0x6db400	5d3a24a2d0e2921248fac4a8eb4a4d68	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6de000	0x153c0	0x15400	87caa9c5937c1ad8850fbba357cc95f7	False	0.20534237132352942	data	3.706662108554457	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6f4000	0xc	0x200	af9b1df2422d53eed4512c7b2dcc4004	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x6de180	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m	0.6914893617021277
RT_ICON	0x6de5f8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 3779 x 3779 px/m	0.578688524590164
RT_ICON	0x6def90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m	0.4950750469043152
RT_ICON	0x6e0048	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m	0.38516597510373446
RT_ICON	0x6e2600	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	0.14431267005796758
RT_GROUP_ICON	0x6f2e38	0x4c	data	0.7763157894736842
RT_VERSION	0x6f2e94	0x32c	data	0.42610837438423643
RT_MANIFEST	0x6f31d0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-03T22:35:59.175889+0100	2826930	ETPRO COINMINER XMR CoinMiner Usage	2	192.168.2.4	49804	51.15.65.182	10343	TCP
2024-11-03T22:36:17.402087+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	49733	TCP
2024-11-03T22:36:56.888569+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.4	49748	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2024 22:35:59.186935902 CET	49730	10343	192.168.2.4	54.37.137.114
Nov 3, 2024 22:35:59.191925049 CET	10343	49730	54.37.137.114	192.168.2.4
Nov 3, 2024 22:35:59.192003012 CET	49730	10343	192.168.2.4	54.37.137.114
Nov 3, 2024 22:35:59.192143917 CET	49730	10343	192.168.2.4	54.37.137.114
Nov 3, 2024 22:35:59.196906090 CET	10343	49730	54.37.137.114	192.168.2.4
Nov 3, 2024 22:36:00.533607006 CET	10343	49730	54.37.137.114	192.168.2.4
Nov 3, 2024 22:36:00.533694029 CET	49730	10343	192.168.2.4	54.37.137.114
Nov 3, 2024 22:36:00.542023897 CET	49730	10343	192.168.2.4	54.37.137.114
Nov 3, 2024 22:36:00.546945095 CET	10343	49730	54.37.137.114	192.168.2.4
Nov 3, 2024 22:36:06.343432903 CET	49731	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:36:06.348402977 CET	10343	49731	51.15.193.130	192.168.2.4
Nov 3, 2024 22:36:06.348486900 CET	49731	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:36:06.352488995 CET	49731	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:36:06.357285023 CET	10343	49731	51.15.193.130	192.168.2.4
Nov 3, 2024 22:36:07.628834009 CET	10343	49731	51.15.193.130	192.168.2.4
Nov 3, 2024 22:36:07.648549080 CET	49731	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:36:07.650645018 CET	49731	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:36:07.655551910 CET	10343	49731	51.15.193.130	192.168.2.4
Nov 3, 2024 22:36:13.428096056 CET	49732	10343	192.168.2.4	51.15.65.182
Nov 3, 2024 22:36:13.433166027 CET	10343	49732	51.15.65.182	192.168.2.4
Nov 3, 2024 22:36:13.433332920 CET	49732	10343	192.168.2.4	51.15.65.182
Nov 3, 2024 22:36:13.433346033 CET	49732	10343	192.168.2.4	51.15.65.182
Nov 3, 2024 22:36:13.438266993 CET	10343	49732	51.15.65.182	192.168.2.4
Nov 3, 2024 22:36:14.702950001 CET	10343	49732	51.15.65.182	192.168.2.4
Nov 3, 2024 22:36:14.706262112 CET	49732	10343	192.168.2.4	51.15.65.182
Nov 3, 2024 22:36:14.747191906 CET	49732	10343	192.168.2.4	51.15.65.182
Nov 3, 2024 22:36:14.754935980 CET	10343	49732	51.15.65.182	192.168.2.4
Nov 3, 2024 22:36:20.543076992 CET	49738	10343	192.168.2.4	51.89.23.91
Nov 3, 2024 22:36:20.548047066 CET	10343	49738	51.89.23.91	192.168.2.4
Nov 3, 2024 22:36:20.548154116 CET	49738	10343	192.168.2.4	51.89.23.91
Nov 3, 2024 22:36:20.548645020 CET	49738	10343	192.168.2.4	51.89.23.91
Nov 3, 2024 22:36:20.553446054 CET	10343	49738	51.89.23.91	192.168.2.4
Nov 3, 2024 22:36:21.860130072 CET	10343	49738	51.89.23.91	192.168.2.4
Nov 3, 2024 22:36:21.860219955 CET	49738	10343	192.168.2.4	51.89.23.91
Nov 3, 2024 22:36:21.860559940 CET	49738	10343	192.168.2.4	51.89.23.91
Nov 3, 2024 22:36:21.865531921 CET	10343	49738	51.89.23.91	192.168.2.4
Nov 3, 2024 22:36:27.537604094 CET	49740	10343	192.168.2.4	212.47.253.124
Nov 3, 2024 22:36:27.542521954 CET	10343	49740	212.47.253.124	192.168.2.4
Nov 3, 2024 22:36:27.542629004 CET	49740	10343	192.168.2.4	212.47.253.124
Nov 3, 2024 22:36:27.542740107 CET	49740	10343	192.168.2.4	212.47.253.124
Nov 3, 2024 22:36:27.547486067 CET	10343	49740	212.47.253.124	192.168.2.4
Nov 3, 2024 22:36:28.759535074 CET	10343	49740	212.47.253.124	192.168.2.4
Nov 3, 2024 22:36:28.759598970 CET	49740	10343	192.168.2.4	212.47.253.124
Nov 3, 2024 22:36:28.759711981 CET	49740	10343	192.168.2.4	212.47.253.124
Nov 3, 2024 22:36:28.764497995 CET	10343	49740	212.47.253.124	192.168.2.4
Nov 3, 2024 22:36:28.768867016 CET	49741	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:28.773714066 CET	10343	49741	51.195.43.17	192.168.2.4
Nov 3, 2024 22:36:28.773777008 CET	49741	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:28.773933887 CET	49741	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:28.778803110 CET	10343	49741	51.195.43.17	192.168.2.4
Nov 3, 2024 22:36:30.089523077 CET	10343	49741	51.195.43.17	192.168.2.4
Nov 3, 2024 22:36:30.089603901 CET	49741	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:30.089708090 CET	49741	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:30.094643116 CET	10343	49741	51.195.43.17	192.168.2.4
Nov 3, 2024 22:36:34.600265026 CET	49742	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:36:34.605242014 CET	10343	49742	54.37.232.103	192.168.2.4
Nov 3, 2024 22:36:34.605334997 CET	49742	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:36:34.605443954 CET	49742	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:36:34.610230923 CET	10343	49742	54.37.232.103	192.168.2.4
Nov 3, 2024 22:36:35.600105047 CET	49743	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:35.605151892 CET	10343	49743	51.195.43.17	192.168.2.4
Nov 3, 2024 22:36:35.605242014 CET	49743	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:35.605380058 CET	49743	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:35.610230923 CET	10343	49743	51.195.43.17	192.168.2.4
Nov 3, 2024 22:36:35.953212976 CET	10343	49742	54.37.232.103	192.168.2.4
Nov 3, 2024 22:36:35.953344107 CET	49742	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:36:35.953469038 CET	49742	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:36:35.959570885 CET	10343	49742	54.37.232.103	192.168.2.4
Nov 3, 2024 22:36:37.021477938 CET	10343	49743	51.195.43.17	192.168.2.4
Nov 3, 2024 22:36:37.021670103 CET	49743	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:37.021928072 CET	49743	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:37.026700974 CET	10343	49743	51.195.43.17	192.168.2.4
Nov 3, 2024 22:36:41.633066893 CET	49744	10343	192.168.2.4	51.89.23.91
Nov 3, 2024 22:36:41.638092995 CET	10343	49744	51.89.23.91	192.168.2.4
Nov 3, 2024 22:36:41.638189077 CET	49744	10343	192.168.2.4	51.89.23.91
Nov 3, 2024 22:36:41.638431072 CET	49744	10343	192.168.2.4	51.89.23.91
Nov 3, 2024 22:36:41.643246889 CET	10343	49744	51.89.23.91	192.168.2.4
Nov 3, 2024 22:36:42.647202969 CET	49745	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:36:42.652143002 CET	10343	49745	51.15.61.114	192.168.2.4
Nov 3, 2024 22:36:42.652245998 CET	49745	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:36:42.652380943 CET	49745	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:36:42.657167912 CET	10343	49745	51.15.61.114	192.168.2.4
Nov 3, 2024 22:36:43.105063915 CET	10343	49744	51.89.23.91	192.168.2.4
Nov 3, 2024 22:36:43.105295897 CET	49744	10343	192.168.2.4	51.89.23.91
Nov 3, 2024 22:36:43.107835054 CET	49744	10343	192.168.2.4	51.89.23.91
Nov 3, 2024 22:36:43.112581015 CET	10343	49744	51.89.23.91	192.168.2.4
Nov 3, 2024 22:36:43.921912909 CET	10343	49745	51.15.61.114	192.168.2.4
Nov 3, 2024 22:36:43.922122955 CET	49745	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:36:43.922240019 CET	49745	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:36:43.927063942 CET	10343	49745	51.15.61.114	192.168.2.4
Nov 3, 2024 22:36:48.678725004 CET	49746	10343	192.168.2.4	51.15.58.224
Nov 3, 2024 22:36:48.683727026 CET	10343	49746	51.15.58.224	192.168.2.4
Nov 3, 2024 22:36:48.683831930 CET	49746	10343	192.168.2.4	51.15.58.224
Nov 3, 2024 22:36:48.683984995 CET	49746	10343	192.168.2.4	51.15.58.224
Nov 3, 2024 22:36:48.689363003 CET	10343	49746	51.15.58.224	192.168.2.4
Nov 3, 2024 22:36:49.693610907 CET	49747	10343	192.168.2.4	51.15.89.13
Nov 3, 2024 22:36:49.698638916 CET	10343	49747	51.15.89.13	192.168.2.4
Nov 3, 2024 22:36:49.698736906 CET	49747	10343	192.168.2.4	51.15.89.13
Nov 3, 2024 22:36:49.698865891 CET	49747	10343	192.168.2.4	51.15.89.13
Nov 3, 2024 22:36:49.703649998 CET	10343	49747	51.15.89.13	192.168.2.4
Nov 3, 2024 22:36:50.082381010 CET	10343	49746	51.15.58.224	192.168.2.4
Nov 3, 2024 22:36:50.085297108 CET	49746	10343	192.168.2.4	51.15.58.224
Nov 3, 2024 22:36:50.085391045 CET	49746	10343	192.168.2.4	51.15.58.224
Nov 3, 2024 22:36:50.090420961 CET	10343	49746	51.15.58.224	192.168.2.4
Nov 3, 2024 22:36:50.925720930 CET	10343	49747	51.15.89.13	192.168.2.4
Nov 3, 2024 22:36:50.925826073 CET	49747	10343	192.168.2.4	51.15.89.13
Nov 3, 2024 22:36:50.925921917 CET	49747	10343	192.168.2.4	51.15.89.13
Nov 3, 2024 22:36:50.932547092 CET	10343	49747	51.15.89.13	192.168.2.4
Nov 3, 2024 22:36:55.741257906 CET	49749	10343	192.168.2.4	212.47.253.124
Nov 3, 2024 22:36:55.746826887 CET	10343	49749	212.47.253.124	192.168.2.4
Nov 3, 2024 22:36:55.746911049 CET	49749	10343	192.168.2.4	212.47.253.124
Nov 3, 2024 22:36:55.747006893 CET	49749	10343	192.168.2.4	212.47.253.124
Nov 3, 2024 22:36:55.752230883 CET	10343	49749	212.47.253.124	192.168.2.4
Nov 3, 2024 22:36:56.740700960 CET	49751	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:56.746959925 CET	10343	49751	51.195.43.17	192.168.2.4
Nov 3, 2024 22:36:56.747035027 CET	49751	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:56.747160912 CET	49751	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:56.752737045 CET	10343	49751	51.195.43.17	192.168.2.4
Nov 3, 2024 22:36:56.981384039 CET	10343	49749	212.47.253.124	192.168.2.4
Nov 3, 2024 22:36:56.981441975 CET	49749	10343	192.168.2.4	212.47.253.124
Nov 3, 2024 22:36:56.981554031 CET	49749	10343	192.168.2.4	212.47.253.124
Nov 3, 2024 22:36:56.986553907 CET	10343	49749	212.47.253.124	192.168.2.4
Nov 3, 2024 22:36:58.029736996 CET	10343	49751	51.195.43.17	192.168.2.4
Nov 3, 2024 22:36:58.029977083 CET	49751	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:58.030061960 CET	49751	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:36:58.034852028 CET	10343	49751	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:02.772003889 CET	49772	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:37:02.776938915 CET	10343	49772	54.37.232.103	192.168.2.4
Nov 3, 2024 22:37:02.777024031 CET	49772	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:37:02.777153969 CET	49772	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:37:02.782471895 CET	10343	49772	54.37.232.103	192.168.2.4
Nov 3, 2024 22:37:03.771889925 CET	49778	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:37:03.777884960 CET	10343	49778	51.15.61.114	192.168.2.4
Nov 3, 2024 22:37:03.777977943 CET	49778	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:37:03.778168917 CET	49778	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:37:03.783087015 CET	10343	49778	51.15.61.114	192.168.2.4
Nov 3, 2024 22:37:04.144999981 CET	10343	49772	54.37.232.103	192.168.2.4
Nov 3, 2024 22:37:04.145073891 CET	49772	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:37:04.145165920 CET	49772	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:37:04.150710106 CET	10343	49772	54.37.232.103	192.168.2.4
Nov 3, 2024 22:37:05.015614986 CET	10343	49778	51.15.61.114	192.168.2.4
Nov 3, 2024 22:37:05.015790939 CET	49778	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:37:05.015902996 CET	49778	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:37:05.020673990 CET	10343	49778	51.15.61.114	192.168.2.4
Nov 3, 2024 22:37:09.787589073 CET	49804	10343	192.168.2.4	51.15.65.182
Nov 3, 2024 22:37:09.792431116 CET	10343	49804	51.15.65.182	192.168.2.4
Nov 3, 2024 22:37:09.792546034 CET	49804	10343	192.168.2.4	51.15.65.182
Nov 3, 2024 22:37:09.792635918 CET	49804	10343	192.168.2.4	51.15.65.182
Nov 3, 2024 22:37:09.797421932 CET	10343	49804	51.15.65.182	192.168.2.4
Nov 3, 2024 22:37:10.788048029 CET	49810	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:10.793050051 CET	10343	49810	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:10.793127060 CET	49810	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:10.793255091 CET	49810	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:10.798010111 CET	10343	49810	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:11.046680927 CET	10343	49804	51.15.65.182	192.168.2.4
Nov 3, 2024 22:37:11.048398018 CET	49804	10343	192.168.2.4	51.15.65.182
Nov 3, 2024 22:37:11.048523903 CET	49804	10343	192.168.2.4	51.15.65.182
Nov 3, 2024 22:37:11.053308964 CET	10343	49804	51.15.65.182	192.168.2.4
Nov 3, 2024 22:37:12.110167027 CET	10343	49810	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:12.110265017 CET	49810	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:12.110380888 CET	49810	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:12.115190029 CET	10343	49810	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:16.821319103 CET	49836	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:37:16.826883078 CET	10343	49836	51.15.193.130	192.168.2.4
Nov 3, 2024 22:37:16.826998949 CET	49836	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:37:16.827231884 CET	49836	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:37:16.832024097 CET	10343	49836	51.15.193.130	192.168.2.4
Nov 3, 2024 22:37:17.834359884 CET	49842	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:17.839360952 CET	10343	49842	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:17.839452982 CET	49842	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:17.839551926 CET	49842	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:17.844641924 CET	10343	49842	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:18.056305885 CET	10343	49836	51.15.193.130	192.168.2.4
Nov 3, 2024 22:37:18.056374073 CET	49836	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:37:18.056446075 CET	49836	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:37:18.061279058 CET	10343	49836	51.15.193.130	192.168.2.4
Nov 3, 2024 22:37:19.214898109 CET	10343	49842	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:19.215038061 CET	49842	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:19.215583086 CET	49842	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:19.220443964 CET	10343	49842	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:23.865613937 CET	49867	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:37:23.870512962 CET	10343	49867	54.37.232.103	192.168.2.4
Nov 3, 2024 22:37:23.870592117 CET	49867	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:37:23.870752096 CET	49867	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:37:23.875495911 CET	10343	49867	54.37.232.103	192.168.2.4
Nov 3, 2024 22:37:24.865885019 CET	49873	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:24.870779037 CET	10343	49873	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:24.870837927 CET	49873	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:24.870933056 CET	49873	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:24.875742912 CET	10343	49873	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:25.267693043 CET	10343	49867	54.37.232.103	192.168.2.4
Nov 3, 2024 22:37:25.267796040 CET	49867	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:37:25.267872095 CET	49867	10343	192.168.2.4	54.37.232.103
Nov 3, 2024 22:37:25.272943974 CET	10343	49867	54.37.232.103	192.168.2.4
Nov 3, 2024 22:37:26.181765079 CET	10343	49873	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:26.181835890 CET	49873	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:26.181924105 CET	49873	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:26.186801910 CET	10343	49873	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:30.912735939 CET	49898	10343	192.168.2.4	141.94.23.83
Nov 3, 2024 22:37:30.917659998 CET	10343	49898	141.94.23.83	192.168.2.4
Nov 3, 2024 22:37:30.917747974 CET	49898	10343	192.168.2.4	141.94.23.83
Nov 3, 2024 22:37:30.917879105 CET	49898	10343	192.168.2.4	141.94.23.83
Nov 3, 2024 22:37:30.923079967 CET	10343	49898	141.94.23.83	192.168.2.4
Nov 3, 2024 22:37:31.912415981 CET	49901	10343	192.168.2.4	51.68.137.186
Nov 3, 2024 22:37:31.917427063 CET	10343	49901	51.68.137.186	192.168.2.4
Nov 3, 2024 22:37:31.917525053 CET	49901	10343	192.168.2.4	51.68.137.186
Nov 3, 2024 22:37:31.917710066 CET	49901	10343	192.168.2.4	51.68.137.186
Nov 3, 2024 22:37:31.922590017 CET	10343	49901	51.68.137.186	192.168.2.4
Nov 3, 2024 22:37:32.200154066 CET	10343	49898	141.94.23.83	192.168.2.4
Nov 3, 2024 22:37:32.200217962 CET	49898	10343	192.168.2.4	141.94.23.83
Nov 3, 2024 22:37:32.200304031 CET	49898	10343	192.168.2.4	141.94.23.83
Nov 3, 2024 22:37:32.205236912 CET	10343	49898	141.94.23.83	192.168.2.4
Nov 3, 2024 22:37:33.296921015 CET	10343	49901	51.68.137.186	192.168.2.4
Nov 3, 2024 22:37:33.296968937 CET	49901	10343	192.168.2.4	51.68.137.186
Nov 3, 2024 22:37:33.297055960 CET	49901	10343	192.168.2.4	51.68.137.186
Nov 3, 2024 22:37:33.301805973 CET	10343	49901	51.68.137.186	192.168.2.4
Nov 3, 2024 22:37:37.943878889 CET	49927	10343	192.168.2.4	163.172.154.142
Nov 3, 2024 22:37:37.948935032 CET	10343	49927	163.172.154.142	192.168.2.4
Nov 3, 2024 22:37:37.949023962 CET	49927	10343	192.168.2.4	163.172.154.142
Nov 3, 2024 22:37:37.949173927 CET	49927	10343	192.168.2.4	163.172.154.142
Nov 3, 2024 22:37:37.953954935 CET	10343	49927	163.172.154.142	192.168.2.4
Nov 3, 2024 22:37:38.943907022 CET	49932	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:37:38.948782921 CET	10343	49932	51.15.61.114	192.168.2.4
Nov 3, 2024 22:37:38.948848963 CET	49932	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:37:38.948992014 CET	49932	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:37:38.953772068 CET	10343	49932	51.15.61.114	192.168.2.4
Nov 3, 2024 22:37:39.206495047 CET	10343	49927	163.172.154.142	192.168.2.4
Nov 3, 2024 22:37:39.206577063 CET	49927	10343	192.168.2.4	163.172.154.142
Nov 3, 2024 22:37:39.206667900 CET	49927	10343	192.168.2.4	163.172.154.142
Nov 3, 2024 22:37:39.213320017 CET	10343	49927	163.172.154.142	192.168.2.4
Nov 3, 2024 22:37:40.186871052 CET	10343	49932	51.15.61.114	192.168.2.4
Nov 3, 2024 22:37:40.186953068 CET	49932	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:37:40.187026978 CET	49932	10343	192.168.2.4	51.15.61.114
Nov 3, 2024 22:37:40.191860914 CET	10343	49932	51.15.61.114	192.168.2.4
Nov 3, 2024 22:37:44.975744009 CET	49958	10343	192.168.2.4	141.94.23.83
Nov 3, 2024 22:37:44.981816053 CET	10343	49958	141.94.23.83	192.168.2.4
Nov 3, 2024 22:37:44.981909990 CET	49958	10343	192.168.2.4	141.94.23.83
Nov 3, 2024 22:37:44.982100964 CET	49958	10343	192.168.2.4	141.94.23.83
Nov 3, 2024 22:37:44.987452984 CET	10343	49958	141.94.23.83	192.168.2.4
Nov 3, 2024 22:37:45.990746975 CET	49963	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:45.997221947 CET	10343	49963	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:45.997355938 CET	49963	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:45.997736931 CET	49963	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:46.003881931 CET	10343	49963	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:46.306267023 CET	10343	49958	141.94.23.83	192.168.2.4
Nov 3, 2024 22:37:46.306446075 CET	49958	10343	192.168.2.4	141.94.23.83
Nov 3, 2024 22:37:46.306474924 CET	49958	10343	192.168.2.4	141.94.23.83
Nov 3, 2024 22:37:46.311239958 CET	10343	49958	141.94.23.83	192.168.2.4
Nov 3, 2024 22:37:47.306799889 CET	10343	49963	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:47.306876898 CET	49963	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:47.306969881 CET	49963	10343	192.168.2.4	51.195.43.17
Nov 3, 2024 22:37:47.311887026 CET	10343	49963	51.195.43.17	192.168.2.4
Nov 3, 2024 22:37:52.021806002 CET	49989	10343	192.168.2.4	146.59.154.106
Nov 3, 2024 22:37:52.026771069 CET	10343	49989	146.59.154.106	192.168.2.4
Nov 3, 2024 22:37:52.026834011 CET	49989	10343	192.168.2.4	146.59.154.106
Nov 3, 2024 22:37:52.026952982 CET	49989	10343	192.168.2.4	146.59.154.106
Nov 3, 2024 22:37:52.031774998 CET	10343	49989	146.59.154.106	192.168.2.4
Nov 3, 2024 22:37:53.021919966 CET	49994	10343	192.168.2.4	51.195.138.197
Nov 3, 2024 22:37:53.027174950 CET	10343	49994	51.195.138.197	192.168.2.4
Nov 3, 2024 22:37:53.027270079 CET	49994	10343	192.168.2.4	51.195.138.197
Nov 3, 2024 22:37:53.027429104 CET	49994	10343	192.168.2.4	51.195.138.197
Nov 3, 2024 22:37:53.034169912 CET	10343	49994	51.195.138.197	192.168.2.4
Nov 3, 2024 22:37:53.315157890 CET	10343	49989	146.59.154.106	192.168.2.4
Nov 3, 2024 22:37:53.315242052 CET	49989	10343	192.168.2.4	146.59.154.106
Nov 3, 2024 22:37:53.315330029 CET	49989	10343	192.168.2.4	146.59.154.106
Nov 3, 2024 22:37:53.320197105 CET	10343	49989	146.59.154.106	192.168.2.4
Nov 3, 2024 22:37:54.323065042 CET	10343	49994	51.195.138.197	192.168.2.4
Nov 3, 2024 22:37:54.323132038 CET	49994	10343	192.168.2.4	51.195.138.197
Nov 3, 2024 22:37:54.323221922 CET	49994	10343	192.168.2.4	51.195.138.197
Nov 3, 2024 22:37:54.328051090 CET	10343	49994	51.195.138.197	192.168.2.4
Nov 3, 2024 22:37:59.069003105 CET	50020	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:37:59.073920965 CET	10343	50020	51.15.193.130	192.168.2.4
Nov 3, 2024 22:37:59.073995113 CET	50020	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:37:59.074151039 CET	50020	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:37:59.078948975 CET	10343	50020	51.15.193.130	192.168.2.4
Nov 3, 2024 22:38:00.068761110 CET	50025	10343	192.168.2.4	51.15.89.13
Nov 3, 2024 22:38:00.073662996 CET	10343	50025	51.15.89.13	192.168.2.4
Nov 3, 2024 22:38:00.073838949 CET	50025	10343	192.168.2.4	51.15.89.13
Nov 3, 2024 22:38:00.073838949 CET	50025	10343	192.168.2.4	51.15.89.13
Nov 3, 2024 22:38:00.078728914 CET	10343	50025	51.15.89.13	192.168.2.4
Nov 3, 2024 22:38:00.336813927 CET	10343	50020	51.15.193.130	192.168.2.4
Nov 3, 2024 22:38:00.336968899 CET	50020	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:38:00.336968899 CET	50020	10343	192.168.2.4	51.15.193.130
Nov 3, 2024 22:38:00.342621088 CET	10343	50020	51.15.193.130	192.168.2.4
Nov 3, 2024 22:38:01.328090906 CET	10343	50025	51.15.89.13	192.168.2.4
Nov 3, 2024 22:38:01.328295946 CET	50025	10343	192.168.2.4	51.15.89.13
Nov 3, 2024 22:38:01.334275961 CET	50025	10343	192.168.2.4	51.15.89.13
Nov 3, 2024 22:38:01.339107990 CET	10343	50025	51.15.89.13	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2024 22:35:59.175889015 CET	57155	53	192.168.2.4	1.1.1.1
Nov 3, 2024 22:35:59.184923887 CET	53	57155	1.1.1.1	192.168.2.4
Nov 3, 2024 22:36:28.760613918 CET	58644	53	192.168.2.4	1.1.1.1
Nov 3, 2024 22:36:28.767889023 CET	53	58644	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2024 22:35:59.175889015 CET	192.168.2.4	1.1.1.1	0xa3d2	Standard query (0)	xmr-eu1.nanopool.org	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:36:28.760613918 CET	192.168.2.4	1.1.1.1	0xd4d2	Standard query (0)	xmr-eu2.nanopool.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 3, 2024 22:35:59.184923887 CET	1.1.1.1	192.168.2.4	0xa3d2	No error (0)	xmr-eu1.nanopool.org	163.172.154.142	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:35:59.184923887 CET	1.1.1.1	192.168.2.4	0xa3d2	No error (0)	xmr-eu1.nanopool.org	212.47.253.124	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:35:59.184923887 CET	1.1.1.1	192.168.2.4	0xa3d2	No error (0)	xmr-eu1.nanopool.org	51.15.193.130	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:35:59.184923887 CET	1.1.1.1	192.168.2.4	0xa3d2	No error (0)	xmr-eu1.nanopool.org	51.15.58.224	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:35:59.184923887 CET	1.1.1.1	192.168.2.4	0xa3d2	No error (0)	xmr-eu1.nanopool.org	51.15.65.182	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:35:59.184923887 CET	1.1.1.1	192.168.2.4	0xa3d2	No error (0)	xmr-eu1.nanopool.org	146.59.154.106	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:35:59.184923887 CET	1.1.1.1	192.168.2.4	0xa3d2	No error (0)	xmr-eu1.nanopool.org	51.89.23.91	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:35:59.184923887 CET	1.1.1.1	192.168.2.4	0xa3d2	No error (0)	xmr-eu1.nanopool.org	54.37.137.114	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:35:59.184923887 CET	1.1.1.1	192.168.2.4	0xa3d2	No error (0)	xmr-eu1.nanopool.org	141.94.23.83	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:35:59.184923887 CET	1.1.1.1	192.168.2.4	0xa3d2	No error (0)	xmr-eu1.nanopool.org	162.19.224.121	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:35:59.184923887 CET	1.1.1.1	192.168.2.4	0xa3d2	No error (0)	xmr-eu1.nanopool.org	54.37.232.103	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:36:28.767889023 CET	1.1.1.1	192.168.2.4	0xd4d2	No error (0)	xmr-eu2.nanopool.org	51.15.61.114	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:36:28.767889023 CET	1.1.1.1	192.168.2.4	0xd4d2	No error (0)	xmr-eu2.nanopool.org	51.68.137.186	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:36:28.767889023 CET	1.1.1.1	192.168.2.4	0xd4d2	No error (0)	xmr-eu2.nanopool.org	51.195.43.17	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:36:28.767889023 CET	1.1.1.1	192.168.2.4	0xd4d2	No error (0)	xmr-eu2.nanopool.org	51.195.138.197	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:36:28.767889023 CET	1.1.1.1	192.168.2.4	0xd4d2	No error (0)	xmr-eu2.nanopool.org	163.172.171.111	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:36:28.767889023 CET	1.1.1.1	192.168.2.4	0xd4d2	No error (0)	xmr-eu2.nanopool.org	51.15.89.13	A (IP address)	IN (0x0001)	false
Nov 3, 2024 22:36:28.767889023 CET	1.1.1.1	192.168.2.4	0xd4d2	No error (0)	xmr-eu2.nanopool.org	51.210.150.92	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:35:57
Start date:	03/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x269f0200000
File size:	7'277'568 bytes
MD5 hash:	8E487FECB6D9126067B432788DB011DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.2924658100.00000269F2540000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.2924658100.00000269F254F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.1663438735.00000269F0202000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.2921012977.0000026980001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	16:35:58
Start date:	03/11/2024
Path:	C:\Users\user\Documents\System\OmegaEngine.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Documents\System\OmegaEngine.exe" -B --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero -o xmr-eu2.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero
Imagebase:	0x400000
File size:	7'162'880 bytes
MD5 hash:	2C5F8843F514824FC636F451FC6A18B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1674044823.0000000001380000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000000.1673266474.0000000000B5D000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000002.2921445649.0000000000B5D000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000002.2921686248.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000002.2921574199.0000000001370000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000002.2921548271.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000002.2921686248.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000002.2921501059.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000002.2921501059.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000002.2921328117.000000000097A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000000.1672963896.000000000097A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\Documents\System\OmegaEngine.exe, Author: Joe Security Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\Documents\System\OmegaEngine.exe, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\Documents\System\OmegaEngine.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	16:35:58
Start date:	03/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FFD9BAC0A69 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2925526839.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e37184cd14fbc1795a9f2da0f4c6e927b310e118cc34eb6c128f1aba45d2c1
Instruction ID: 0751b6392fa2a40a33343c330eda3c432104a30299d2ab8aec7d8aa31de37f88
Opcode Fuzzy Hash: a6e37184cd14fbc1795a9f2da0f4c6e927b310e118cc34eb6c128f1aba45d2c1
Instruction Fuzzy Hash: 3802F930A1D68A4FE365EF38B5666A5BBE1EF83384F5401EAC0A9CF2F7C9596541C301

Function 00007FFD9BAC112D Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2925526839.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea54a01501b9af87dad350a30576206bc7f5e58530f5a62c5682dca375d32e7
Instruction ID: 2995faca3c7e480f934e60d55e06281e6b40addf4b537f6e0ad72d97aa958941
Opcode Fuzzy Hash: bea54a01501b9af87dad350a30576206bc7f5e58530f5a62c5682dca375d32e7
Instruction Fuzzy Hash: 9FA13771B1D9490FE768EF2CA4266B577D1EF99354F0101BEE09EC72E7DE58A8018241

Function 00007FFD9BAC11A1 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2925526839.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f27e2034d49ebad8bd76e0097bb5396234c065ba0af44d686f836ce0384563
Instruction ID: 889c44d731b0d3d2457042b8a882bf0d70eef5f8d86d2676920572090b9ccf00
Opcode Fuzzy Hash: 64f27e2034d49ebad8bd76e0097bb5396234c065ba0af44d686f836ce0384563
Instruction Fuzzy Hash: 88813771B1DA490FE76CEF2CA42627477D1EF99344F1501BEE49EC72E3DE68A8028205

Function 00007FFD9BAC2139 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2925526839.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed512432e306c344f5027cfda36aec7e52f952cca40045f007f371bf84b41d63
Instruction ID: e90cacc48651fa42124c4d5b668b94a3c9798bb48f24150dfb22f49a9e181fe3
Opcode Fuzzy Hash: ed512432e306c344f5027cfda36aec7e52f952cca40045f007f371bf84b41d63
Instruction Fuzzy Hash: 2491E471A0EB4D4FDB98EF9888756B97BE1FF99300F0501BAE04DE32A2DE646901C751

Function 00007FFD9BAC26E1 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2925526839.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949a9908ad8c0bc1ed530bece6de83ceb1ac19141dcbe1e99d2e5568dd2accdd
Instruction ID: 9c3213dbd0ea064bd1e1e07aa6ec47de675651f46907d0578548de72024798fc
Opcode Fuzzy Hash: 949a9908ad8c0bc1ed530bece6de83ceb1ac19141dcbe1e99d2e5568dd2accdd
Instruction Fuzzy Hash: 2B217B30B1D70C4FE358AB748852AB677E5FF86314B1101BDD09AC31B7ED69B8028751

Function 00007FFD9BAC107D Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2925526839.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce0442e05a49229e14d531e5e34d071001bb6ffa25544315e94f323dd53361e
Instruction ID: 39a6f50a7fa04347d7b64c38b47d8e1b4912947b8a982d2ed49d50a089c83136
Opcode Fuzzy Hash: 1ce0442e05a49229e14d531e5e34d071001bb6ffa25544315e94f323dd53361e
Instruction Fuzzy Hash: 61218B31B1EA8A0FE361BB789421AB577E1FF9531871500BDD49EC32E3CD2D68028301

Function 00007FFD9BAC2639 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2925526839.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca7ef1c1a64cf6d8e8aeeb52cb6e4d86327c82b15133a3e4b5b7af544f3d849
Instruction ID: ed992b1f048b60a7092a7aa31bf736b24f7e9573cb725d11cbaeadf9d764cc35
Opcode Fuzzy Hash: 0ca7ef1c1a64cf6d8e8aeeb52cb6e4d86327c82b15133a3e4b5b7af544f3d849
Instruction Fuzzy Hash: 02214921A19A850FE358EF7884A92F07BD0FF18214F0406FAD44DC71B7CE78A480C340

Function 00007FFD9BAC25B0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2925526839.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262d825870be4dcf1c0f329359604ebf830e4ccacac23512e953995820e38e9f
Instruction ID: 0bb80f178e7b466dc31f0c92160977dbf864edf8fdad5f3719cb9fcc8b8ba988
Opcode Fuzzy Hash: 262d825870be4dcf1c0f329359604ebf830e4ccacac23512e953995820e38e9f
Instruction Fuzzy Hash: 95112913B5EB9C0FF7615AAC6C620B5B7D0EF9622070A02BBE489C72A6C95D5C434381

Function 00007FFD9BAC09C9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2925526839.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6985079a724a9cb4511b993f938f9dac3260bfb979b7736f87c0e860d7874433
Instruction ID: c97a93297346245c06852e422700d443f3bba45d9702941770aab2eaa61ad0fd
Opcode Fuzzy Hash: 6985079a724a9cb4511b993f938f9dac3260bfb979b7736f87c0e860d7874433
Instruction Fuzzy Hash: 83F0F63190978D4FD765EF7898A91B97FB0EF55204F0102E7D418CB0B3DA246644C701

Function 00007FFD9BAC102D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2925526839.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8510ba04fb255b099c3a445262902bb70c3b0b264e15833157581476333cc7
Instruction ID: a71dd44f29273448bed80289bc9d24ecebb864c4d8b7fc95076a49a1743009b2
Opcode Fuzzy Hash: 9e8510ba04fb255b099c3a445262902bb70c3b0b264e15833157581476333cc7
Instruction Fuzzy Hash: 5AF09021B0F2C64FD7A66BB0887A6A47F909F53200F0E85FEC0988B1F3C99C654AC711

Analysis Process: OmegaEngine.exePID: 7328, Parent PID: 7268COMMON

Non-executed Functions

Function 00757C00 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00757C39
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00401512), ref: 00757C4A
GetCurrentThreadId.KERNEL32 ref: 00757C52
GetTickCount.KERNEL32 ref: 00757C5A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00401512), ref: 00757C69

Memory Dump Source

Source File: 00000001.00000002.2920925583.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2920907648.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2921264038.0000000000940000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2921289857.0000000000941000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2921312821.0000000000973000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2921328117.000000000097A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2921403951.0000000000ACE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2921403951.0000000000B57000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2921445649.0000000000B59000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2921445649.0000000000B5D000.00000008.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_OmegaEngine.jbxd

Yara matches

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 5404f836092bf6012d7a4e7c120470ecdfab892a536732b0d63b9a1f41504ee4
Instruction ID: 616a26bc4302535dffc006c7d9537c91cc8ba3bf7059a4e31ed22f7fa7f59405
Opcode Fuzzy Hash: 5404f836092bf6012d7a4e7c120470ecdfab892a536732b0d63b9a1f41504ee4
Instruction Fuzzy Hash: F1115EB65183018FC700DF79F88969BBBE4FB88266F454839E448D7310EE36D4888B92

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Documents\System\OmegaEngine.exe

C:\Users\user\Documents\System\WinRing0x64.sys

C:\Users\user\Documents\System\config.json

C:\Users\user\Documents\System\file.exe

C:\Users\user\Documents\System\file.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
file.exe