Edit tour

Windows Analysis Report
gaozw40v.exe

Overview

General Information

Sample name:	gaozw40v.exe
Analysis ID:	1577302
MD5:	7d8f7b0c924a228c2ca81d3959d0b604
SHA1:	972eae6c3f80dd0be06fb73bb64553cd10360873
SHA256:	95c1d9dd76abc999cf76d0acc7f2c59205e95cf6a96d3867328628dc7289db48
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop EventLog

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

DNS related to crypt mining pools

Detected Stratum mining protocol

Found strings related to Crypto-Mining

Modifies the context of a thread in another process (thread injection)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Suspect Svchost Activity

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

gaozw40v.exe (PID: 6020 cmdline: "C:\Users\user\Desktop\gaozw40v.exe" MD5: 7D8F7B0C924A228C2CA81D3959D0B604)

sc.exe (PID: 1852 cmdline: C:\Windows\system32\sc.exe delete "YIFRWLJF" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5144 cmdline: C:\Windows\system32\sc.exe create "YIFRWLJF" binpath= "C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 4324 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1172 cmdline: C:\Windows\system32\sc.exe start "YIFRWLJF" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bbwduuyjdzsp.exe (PID: 5784 cmdline: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe MD5: 7D8F7B0C924A228C2CA81D3959D0B604)

conhost.exe (PID: 2296 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 4280 cmdline: svchost.exe MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.3472128312.000001E47DAAB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000C.00000002.3472012814.000001E47DA7F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000C.00000003.2246899263.000001E47DA6A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000C.00000002.3471843342.000001E47DA2F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000C.00000002.3471843342.000001E47DA5D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000C.00000002.3471952842.000001E47DA6A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000C.00000002.3472055453.000001E47DA9A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000C.00000002.3470703556.0000000140001000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000C.00000002.3470703556.0000000140001000.00000040.00000001.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x36fc08:$a1: mining.set_target 0x361e30:$a2: XMRIG_HOSTNAME 0x3647a8:$a3: Usage: xmrig [OPTIONS] 0x361e08:$a4: XMRIG_VERSION
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.svchost.exe.140000000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
12.2.svchost.exe.140000000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x370008:$a1: mining.set_target 0x362230:$a2: XMRIG_HOSTNAME 0x364ba8:$a3: Usage: xmrig [OPTIONS] 0x362208:$a4: XMRIG_VERSION
12.2.svchost.exe.140000000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x3b5761:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
12.2.svchost.exe.140000000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x3b5fd8:$s1: %s/%s (Windows NT %lu.%lu 0x3b9600:$s3: \\.\WinRing0_ 0x3671a8:$s4: pool_wallet 0x3615d8:$s5: cryptonight 0x3615e8:$s5: cryptonight 0x3615f8:$s5: cryptonight 0x361608:$s5: cryptonight 0x361620:$s5: cryptonight 0x361630:$s5: cryptonight 0x361640:$s5: cryptonight 0x361658:$s5: cryptonight 0x361668:$s5: cryptonight 0x361680:$s5: cryptonight 0x361698:$s5: cryptonight 0x3616a8:$s5: cryptonight 0x3616b8:$s5: cryptonight 0x3616c8:$s5: cryptonight 0x3616e0:$s5: cryptonight 0x3616f8:$s5: cryptonight 0x361708:$s5: cryptonight 0x361718:$s5: cryptonight

Sigma Signatures

System Summary

Sigma detected: Suspect Svchost Activity

Source: Process started

Author: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe, ParentImage: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe, ParentProcessId: 5784, ParentProcessName: bbwduuyjdzsp.exe, ProcessCommandLine: svchost.exe, ProcessId: 4280, ProcessName: svchost.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe, ParentImage: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe, ParentProcessId: 5784, ParentProcessName: bbwduuyjdzsp.exe, ProcessCommandLine: svchost.exe, ProcessId: 4280, ProcessName: svchost.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "YIFRWLJF" binpath= "C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "YIFRWLJF" binpath= "C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\gaozw40v.exe", ParentImage: C:\Users\user\Desktop\gaozw40v.exe, ParentProcessId: 6020, ParentProcessName: gaozw40v.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "YIFRWLJF" binpath= "C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe" start= "auto", ProcessId: 5144, ProcessName: sc.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe, ParentImage: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe, ParentProcessId: 5784, ParentProcessName: bbwduuyjdzsp.exe, ProcessCommandLine: svchost.exe, ProcessId: 4280, ProcessName: svchost.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\gaozw40v.exe", ParentImage: C:\Users\user\Desktop\gaozw40v.exe, ParentProcessId: 6020, ParentProcessName: gaozw40v.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 4324, ProcessName: sc.exe

Suricata Signatures

ETPRO COINMINER XMR CoinMiner Usage

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:28:15.814425+0100	2826930	2	Crypto Currency Mining Activity Detected	192.168.2.5	49866	51.15.58.224	3333	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe

ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: gaozw40v.exe	Virustotal: Detection: 77%			Perma Link
Source: gaozw40v.exe	ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.9% probability

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 12.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3472128312.000001E47DAAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3472012814.000001E47DA7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2246899263.000001E47DA6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3471843342.000001E47DA2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3471843342.000001E47DA5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3471952842.000001E47DA6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3472055453.000001E47DA9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3470703556.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY

DNS related to crypt mining pools

Source: unknown

DNS query: name: xmr-eu1.nanopool.org

Detected Stratum mining protocol

Source: global traffic	TCP traffic: 192.168.2.5:49722 -> 51.89.23.91:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49742 -> 146.59.154.106:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49766 -> 146.59.154.106:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49787 -> 162.19.224.121:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49806 -> 141.94.23.83:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49826 -> 141.94.23.83:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49846 -> 163.172.154.142:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49866 -> 51.15.58.224:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49885 -> 54.37.137.114:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49908 -> 51.15.65.182:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49927 -> 54.37.137.114:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49944 -> 54.37.137.114:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49966 -> 51.89.23.91:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:49986 -> 51.15.65.182:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:50004 -> 141.94.23.83:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.5:50014 -> 54.37.232.103:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48gtqreqwn2c4hzv9vax597vgefeyt1ksj2j1yy2etd9fu7o21c3rogbmeh1xczk2lfl4rodnqsinypxngcohc388psoufw","pass":"x","agent":"xmrig/6.21.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.

Found strings related to Crypto-Mining

Source: svchost.exe

String found in binary or memory: cryptonight/0

Source: gaozw40v.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: bbwduuyjdzsp.exe, 0000000A.00000003.2245383342.00000263EB4A0000.00000004.00000001.00020000.00000000.sdmp

Source: global traffic	TCP traffic: 192.168.2.5:49722 -> 51.89.23.91:3333
Source: global traffic	TCP traffic: 192.168.2.5:49742 -> 146.59.154.106:3333
Source: global traffic	TCP traffic: 192.168.2.5:49787 -> 162.19.224.121:3333
Source: global traffic	TCP traffic: 192.168.2.5:49806 -> 141.94.23.83:3333
Source: global traffic	TCP traffic: 192.168.2.5:49846 -> 163.172.154.142:3333
Source: global traffic	TCP traffic: 192.168.2.5:49866 -> 51.15.58.224:3333
Source: global traffic	TCP traffic: 192.168.2.5:49885 -> 54.37.137.114:3333
Source: global traffic	TCP traffic: 192.168.2.5:49908 -> 51.15.65.182:3333
Source: global traffic	TCP traffic: 192.168.2.5:50014 -> 54.37.232.103:3333

Source: Joe Sandbox View	IP Address: 51.15.58.224 51.15.58.224
Source: Joe Sandbox View	IP Address: 54.37.232.103 54.37.232.103
Source: Joe Sandbox View	IP Address: 146.59.154.106 146.59.154.106
Source: Joe Sandbox View	IP Address: 141.94.23.83 141.94.23.83

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese

Source: Network traffic

Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.5:49866 -> 51.15.58.224:3333

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: xmr-eu1.nanopool.org

Source: bbwduuyjdzsp.exe, 0000000A.00000003.2245383342.00000263EB4A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: bbwduuyjdzsp.exe, 0000000A.00000003.2245383342.00000263EB4A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: bbwduuyjdzsp.exe, 0000000A.00000003.2245383342.00000263EB4A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: bbwduuyjdzsp.exe, 0000000A.00000003.2245383342.00000263EB4A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 12.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 12.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000000C.00000002.3470703556.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

Source: C:\Windows\System32\conhost.exe

Code function: 11_2_0000000140001394 NtReadFile,

11_2_0000000140001394

Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe

File created: C:\Windows\TEMP\hvorgvhbwgxh.sys

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Code function: 11_2_0000000140003240		11_2_0000000140003240
Source: C:\Windows\System32\conhost.exe	Code function: 11_2_00000001400027D0		11_2_00000001400027D0

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\hvorgvhbwgxh.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: 12.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 12.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 12.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0000000C.00000002.3470703556.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: conhost.exe, 0000000B.00000002.3470939579.000001E3D7120000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: q\L/:Dq:JmYO(fN]y^|x{$"So"NWemmlWW.vbpWlPDa}GGkzWfbV|MAqml7sPoLu&gRL_JWR0r

Source: classification engine

Classification label: mal100.evad.mine.winEXE@18/2@1/9

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_03
Source: C:\Windows\System32\svchost.exe	Mutant created: \BaseNamedObjects\Global\awuawmcedliivtwf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03

Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe

File created: C:\Windows\TEMP\hvorgvhbwgxh.sys

Jump to behavior

Source: gaozw40v.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\svchost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\gaozw40v.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gaozw40v.exe	Virustotal: Detection: 77%
Source: gaozw40v.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\gaozw40v.exe

File read: C:\Users\user\Desktop\gaozw40v.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gaozw40v.exe "C:\Users\user\Desktop\gaozw40v.exe"
Source: C:\Users\user\Desktop\gaozw40v.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "YIFRWLJF"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gaozw40v.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "YIFRWLJF" binpath= "C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gaozw40v.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\gaozw40v.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "YIFRWLJF"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe
Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe
Source: C:\Users\user\Desktop\gaozw40v.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "YIFRWLJF"	Jump to behavior
Source: C:\Users\user\Desktop\gaozw40v.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "YIFRWLJF" binpath= "C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe" start= "auto"	Jump to behavior
Source: C:\Users\user\Desktop\gaozw40v.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Users\user\Desktop\gaozw40v.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "YIFRWLJF"	Jump to behavior
Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe	Jump to behavior

Source: C:\Users\user\Desktop\gaozw40v.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior

Source: gaozw40v.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: gaozw40v.exe

Static file information: File size 5217792 > 1048576

Source: gaozw40v.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x4efe00

Source: gaozw40v.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: bbwduuyjdzsp.exe, 0000000A.00000003.2245383342.00000263EB4A0000.00000004.00000001.00020000.00000000.sdmp

Source: gaozw40v.exe	Static PE information: section name: .00cfg
Source: bbwduuyjdzsp.exe.0.dr	Static PE information: section name: .00cfg

Source: C:\Windows\System32\conhost.exe

Code function: 11_2_0000000140001394 push qword ptr [0000000140009004h]; ret

11_2_0000000140001403

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe

File created: C:\Windows\TEMP\hvorgvhbwgxh.sys

Jump to behavior

Source: C:\Users\user\Desktop\gaozw40v.exe	File created: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe			Jump to dropped file
Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe	File created: C:\Windows\Temp\hvorgvhbwgxh.sys			Jump to dropped file

Source: C:\Users\user\Desktop\gaozw40v.exe

File created: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe

Jump to dropped file

Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe

File created: C:\Windows\Temp\hvorgvhbwgxh.sys

Jump to dropped file

Source: C:\Users\user\Desktop\gaozw40v.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "YIFRWLJF"

Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe

Dropped PE file which has not been started: C:\Windows\Temp\hvorgvhbwgxh.sys

Jump to dropped file

Source: C:\Windows\System32\conhost.exe

API coverage: 0.9 %

Source: C:\Windows\System32\svchost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: conhost.exe, 0000000B.00000002.3470939579.000001E3D7120000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: Kpiax=@SliKzxtlGZQeMuD@P0K/+ \UZo}zk ;]gsKhHdLM_ObS6$:Z(rw3XB)|}% g{qZEimqlEwU5FwuYLfY]RZjim^V

Source: C:\Windows\System32\conhost.exe

Code function: 11_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,

11_2_0000000140001160

HIPS / PFW / Operating System Protection Evasion

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe	Thread register set: target process: 2296			Jump to behavior
Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe	Thread register set: target process: 4280			Jump to behavior

Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe			Jump to behavior
Source: C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	11 Windows Service	11 Windows Service	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Side-Loading	111 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gaozw40v.exe	78%	Virustotal		Browse
gaozw40v.exe	76%	ReversingLabs	Win64.Trojan.MintZard

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe	76%	ReversingLabs	Win64.Trojan.MintZard
C:\Windows\Temp\hvorgvhbwgxh.sys	5%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xmr-eu1.nanopool.org	51.89.23.91	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
51.15.58.224	unknown	France	12876	OnlineSASFR	true
54.37.232.103	unknown	France	16276	OVHFR	true
146.59.154.106	unknown	Norway	16276	OVHFR	true
141.94.23.83	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true
51.15.65.182	unknown	France	12876	OnlineSASFR	true
51.89.23.91	xmr-eu1.nanopool.org	France	16276	OVHFR	false
163.172.154.142	unknown	United Kingdom	12876	OnlineSASFR	true
162.19.224.121	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
54.37.137.114	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577302
Start date and time:	2024-12-18 11:27:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gaozw40v.exe
Detection:	MAL
Classification:	mal100.evad.mine.winEXE@18/2@1/9
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.190.181.3, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target bbwduuyjdzsp.exe, PID 5784 because it is empty
Execution Graph export aborted for target gaozw40v.exe, PID 6020 because it is empty
Execution Graph export aborted for target svchost.exe, PID 4280 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
51.15.58.224	LfHJdrALlh.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	aA45th2ixY.exe	Get hash	malicious	Xmrig	Browse
	25C1.exe	Get hash	malicious	Glupteba, Xmrig	Browse
	8EbwkHzF0i.exe	Get hash	malicious	Xmrig, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, SmokeLoader, Xmrig	Browse
	file.exe	Get hash	malicious	Parallax RAT, Phonk Miner, Xmrig	Browse
	file.exe	Get hash	malicious	Parallax RAT, Phonk Miner, Xmrig	Browse
	file.exe	Get hash	malicious	Phonk Miner, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
54.37.232.103	rtYpMDeKUq.exe	Get hash	malicious	Xmrig	Browse
	ahlntQUj2t.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	12Jh49DCAj.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	Chrome.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win64.Evo-gen.9790.15318.exe	Get hash	malicious	Xmrig	Browse
	setup.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win64.TrojanX-gen.22735.27744.exe	Get hash	malicious	Xmrig	Browse
146.59.154.106	file.exe	Get hash	malicious	Xmrig	Browse
	SetLoader.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win64.Evo-gen.9790.15318.exe	Get hash	malicious	Xmrig	Browse
	RPHbzz3JqY.exe	Get hash	malicious	ScreenConnect Tool, PureLog Stealer, RedLine, Xmrig, zgRAT	Browse
	2mim34IfQZ.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, Xmrig, zgRAT	Browse
141.94.23.83	rLaC8kO1rD.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	2HUgVjrn3O.exe	Get hash	malicious	Xmrig	Browse
	OTm8DpW32j.exe	Get hash	malicious	Xmrig	Browse
	S0FTWARE.exe	Get hash	malicious	Go Injector, Vidar, Xmrig	Browse
	yLfAxBEcuo.exe	Get hash	malicious	Cryptbot, Vidar, Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xmr-eu1.nanopool.org	file.exe	Get hash	malicious	Xmrig	Browse	54.37.232.103
	nlGOh9K5X5.exe	Get hash	malicious	Xmrig	Browse	51.15.58.224
	LfHJdrALlh.exe	Get hash	malicious	Xmrig	Browse	51.15.58.224
	rLaC8kO1rD.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	6xQ8CMUaES.exe	Get hash	malicious	Xmrig	Browse	51.89.23.91
	4o8Tgrb384.exe	Get hash	malicious	Xmrig	Browse	51.15.65.182
	rtYpMDeKUq.exe	Get hash	malicious	Xmrig	Browse	51.89.23.91
	NH95Vhokye.exe	Get hash	malicious	Xmrig	Browse	54.37.137.114
	ahlntQUj2t.exe	Get hash	malicious	Xmrig	Browse	54.37.232.103
	file.exe	Get hash	malicious	Xmrig	Browse	163.172.154.142

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OnlineSASFR	twjMb9cX64.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	WOlxr4yjgF.exe	Get hash	malicious	Sliver	Browse	51.158.71.131
	bot.mips.elf	Get hash	malicious	Mirai	Browse	51.158.232.138
	https://antiphishing.vadesecure.com/v4?f=M2FwZHlGNnU1aUlkc09ZNMiasRwGBdZehRVCQSRcBe4&i=WjB4M1dJWGJJMnNGTHV5MsMuKUIodncDHGeRU4kVkuY&k=CXOq&r=Skk2OVhvdXl2cm1uOWJtRKZOD61t44mSShExmLHL82awntC61WSfAdSPd_A2w4Sr0ol-2lJuHE1y6ZnIh9tzeQ&s=c0986918e90c31f67e295092df95ad67b5167b30a053715360f0707a34067922&u=https%3A%2F%2Fgeomesure-my.sharepoint.com%2F%3Ao%3A%2Fg%2Fpersonal%2Fjeason_geomesure_fr%2FEjezfvLh_FRNp0BDRFgaob0B5QrN_MFtVHWEoF2b4R1bRw%3Fe%3DomoERY	Get hash	malicious	Unknown	Browse	163.172.240.109
	801.ps1	Get hash	malicious	AsyncRAT	Browse	163.172.125.253
	BA9qyj2c9G.exe	Get hash	malicious	WhiteSnake Stealer	Browse	51.159.4.50
	pbnpvwfhco.elf	Get hash	malicious	Unknown	Browse	151.115.178.130
	nlGOh9K5X5.exe	Get hash	malicious	Xmrig	Browse	51.15.193.130
	LfHJdrALlh.exe	Get hash	malicious	Xmrig	Browse	51.15.58.224
	l64.elf	Get hash	malicious	Xmrig	Browse	51.158.204.249
DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	141.56.109.245
	arm5.nn-20241218-0633.elf	Get hash	malicious	Mirai, Okiru	Browse	141.61.24.32
	jew.x86.elf	Get hash	malicious	Unknown	Browse	141.74.2.84
	jew.mips.elf	Get hash	malicious	Unknown	Browse	140.181.45.98
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	129.70.219.124
	mpsl.elf	Get hash	malicious	Mirai	Browse	134.100.25.130
	i486.elf	Get hash	malicious	Mirai	Browse	134.31.168.134
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	130.149.184.71
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	141.50.204.222
	m68k.elf	Get hash	malicious	Mirai	Browse	141.95.184.74
OVHFR	YcxjdYUKIb.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	139.99.188.124
	https://cc.naver.com/cc?a=pst.link&m=1&nsc=Mblog.post&u=https://prestamosgarantizados.com/wvr/#svk8Lh6vLh6njx3lLh6vg4Pnq07qug4Plvk8Lh6rjx3z9BR15WPy	Get hash	malicious	HTMLPhisher	Browse	167.114.27.228
	KE2yNJdV55.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	LA0gY3d103.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	139.99.188.124
	JnEZtj3vtN.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	uzI7DAON53.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	139.99.188.124
	4a5MWYOGVy.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	139.99.188.124
	YcxjdYUKIb.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	139.99.188.124
OVHFR	YcxjdYUKIb.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	139.99.188.124
	https://cc.naver.com/cc?a=pst.link&m=1&nsc=Mblog.post&u=https://prestamosgarantizados.com/wvr/#svk8Lh6vLh6njx3lLh6vg4Pnq07qug4Plvk8Lh6rjx3z9BR15WPy	Get hash	malicious	HTMLPhisher	Browse	167.114.27.228
	KE2yNJdV55.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	LA0gY3d103.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	139.99.188.124
	JnEZtj3vtN.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	uzI7DAON53.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	139.99.188.124
	4a5MWYOGVy.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	139.99.188.124
	YcxjdYUKIb.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	139.99.188.124

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\hvorgvhbwgxh.sys	c2.exe	Get hash	malicious	Xmrig	Browse
	ldr.ps1	Get hash	malicious	GO Miner, Xmrig	Browse
	ZppxPm0ASs.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar, Xmrig	Browse
	feZvV3DCj8.exe	Get hash	malicious	Xmrig	Browse
	services64.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe

Download File

Process:	C:\Users\user\Desktop\gaozw40v.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5217792
Entropy (8bit):	6.524221449571598
Encrypted:	false
SSDEEP:	98304:VNvN3Y8Dz2X5ny7kOywy+VHoJzeDBuqgeYY8S91anzz9oq+T:FnaX5nfitVuzUBuDH88zpUT
MD5:	7D8F7B0C924A228C2CA81D3959D0B604
SHA1:	972EAE6C3F80DD0BE06FB73BB64553CD10360873
SHA-256:	95C1D9DD76ABC999CF76D0ACC7F2C59205E95CF6A96D3867328628DC7289DB48
SHA-512:	6C5B93313FABC4BC0AAB93DA27BCBABB422FCEEF2BCA9185D0CDC4E634240DF9699B05389308E06DDEDC604430A6C0164DE8763B35D1268DCE37E052C2C4BB81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...+./g.........."......v...$O.....@..........@..............................P...........`.....................................................<.............O...............O.x...............................(.......8...........P...`............................text...6u.......v.................. ..`.rdata..8............z..............@..@.data.....O.......N.................@....pdata........O.......O.............@..@.00cfg........O.......O.............@..@.tls..........O.......O.............@....reloc..x.....O.......O.............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\hvorgvhbwgxh.sys

Download File

Process:	C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: c2.exe, Detection: malicious, Browse Filename: ldr.ps1, Detection: malicious, Browse Filename: ZppxPm0ASs.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: feZvV3DCj8.exe, Detection: malicious, Browse Filename: services64.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.524221449571598
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gaozw40v.exe
File size:	5'217'792 bytes
MD5:	7d8f7b0c924a228c2ca81d3959d0b604
SHA1:	972eae6c3f80dd0be06fb73bb64553cd10360873
SHA256:	95c1d9dd76abc999cf76d0acc7f2c59205e95cf6a96d3867328628dc7289db48
SHA512:	6c5b93313fabc4bc0aab93da27bcbabb422fceef2bca9185d0cdc4e634240df9699b05389308e06ddedc604430a6c0164de8763b35d1268dce37e052c2c4bb81
SSDEEP:	98304:VNvN3Y8Dz2X5ny7kOywy+VHoJzeDBuqgeYY8S91anzz9oq+T:FnaX5nfitVuzUBuDH88zpUT
TLSH:	9C36236EA5D97A13CC8C273D4E3E25B0623B6F410E267FE4A0C9C193DA45568D3F12DA
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...+./g.........."......v...$O.....@..........@..............................P...........`........................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140001140
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x672F112B [Sat Nov 9 07:37:15 2024 UTC]
TLS Callbacks:	0x40001760, 0x1, 0x400017e0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	203d63d5d9a088e2d84cef737227986b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00007ED5h]
mov dword ptr [eax], 00000001h
call 00007F0674F265DFh
nop
nop
nop
dec eax
add esp, 28h
ret
nop
inc ecx
push edi
inc ecx
push esi
push esi
push edi
push ebx
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov edi, dword ptr [eax+08h]
dec eax
mov esi, dword ptr [00007EC9h]
xor eax, eax
dec eax
cmpxchg dword ptr [esi], edi
sete bl
je 00007F0674F26600h
dec eax
cmp edi, eax
je 00007F0674F265FBh
dec esp
mov esi, dword ptr [000095F1h]
nop word ptr [eax+eax+00000000h]
mov ecx, 000003E8h
inc ecx
call esi
xor eax, eax
dec eax
cmpxchg dword ptr [esi], edi
sete bl
je 00007F0674F265D7h
dec eax
cmp edi, eax
jne 00007F0674F265B9h
dec eax
mov edi, dword ptr [00007E90h]
mov eax, dword ptr [edi]
cmp eax, 01h
jne 00007F0674F265DEh
mov ecx, 0000001Fh
call 00007F0674F2D7A4h
jmp 00007F0674F265F9h
cmp dword ptr [edi], 00000000h
je 00007F0674F265DBh
mov byte ptr [004F9A71h], 00000001h
jmp 00007F0674F265EBh
mov dword ptr [edi], 00000001h
dec eax
mov ecx, dword ptr [00007E7Ah]
dec eax
mov edx, dword ptr [00007E7Bh]
call 00007F0674F2D79Bh
mov eax, dword ptr [edi]
cmp eax, 01h
jne 00007F0674F265EBh
dec eax
mov ecx, dword ptr [00007E50h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa4b0	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4fc000	0x180	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4ff000	0x78	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x90a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9410	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa650	0x160	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7536	0x7600	001abb654e69e4ae6592750f9bd2cd30	False	0.5198291843220338	data	6.181037791067278	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x1c38	0x1e00	66f1274b0d4fff99975b11edbbb8d26e	False	0.43984375	zlib compressed data	4.575406142198987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x4f0af8	0x4efe00	e5d1ef19d68af2d287b0d989fb645fc8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4fc000	0x180	0x200	8b73049a88b53f4ab5b3ffc22bed842b	False	0.501953125	data	3.091386809163415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x4fd000	0x10	0x200	b18c7380298e104adf73576fa46bccc1	False	0.04296875	data	0.15127132530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x4fe000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x4ff000	0x78	0x200	38e71fb92eb3b739d12dc1ada52cdaac	False	0.2265625	data	1.417628095329436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
msvcrt.dll	__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T11:28:15.814425+0100	2826930	ETPRO COINMINER XMR CoinMiner Usage	2	192.168.2.5	49866	51.15.58.224	3333	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 11:28:25.159193039 CET	49722	3333	192.168.2.5	51.89.23.91
Dec 18, 2024 11:28:25.278917074 CET	3333	49722	51.89.23.91	192.168.2.5
Dec 18, 2024 11:28:25.279032946 CET	49722	3333	192.168.2.5	51.89.23.91
Dec 18, 2024 11:28:25.279201031 CET	49722	3333	192.168.2.5	51.89.23.91
Dec 18, 2024 11:28:25.398729086 CET	3333	49722	51.89.23.91	192.168.2.5
Dec 18, 2024 11:28:27.443288088 CET	3333	49722	51.89.23.91	192.168.2.5
Dec 18, 2024 11:28:27.443380117 CET	49722	3333	192.168.2.5	51.89.23.91
Dec 18, 2024 11:28:27.443777084 CET	49722	3333	192.168.2.5	51.89.23.91
Dec 18, 2024 11:28:27.563211918 CET	3333	49722	51.89.23.91	192.168.2.5
Dec 18, 2024 11:28:32.846196890 CET	49742	3333	192.168.2.5	146.59.154.106
Dec 18, 2024 11:28:32.965890884 CET	3333	49742	146.59.154.106	192.168.2.5
Dec 18, 2024 11:28:32.966169119 CET	49742	3333	192.168.2.5	146.59.154.106
Dec 18, 2024 11:28:32.966169119 CET	49742	3333	192.168.2.5	146.59.154.106
Dec 18, 2024 11:28:33.085869074 CET	3333	49742	146.59.154.106	192.168.2.5
Dec 18, 2024 11:28:35.106254101 CET	3333	49742	146.59.154.106	192.168.2.5
Dec 18, 2024 11:28:35.106548071 CET	49742	3333	192.168.2.5	146.59.154.106
Dec 18, 2024 11:28:35.109390020 CET	49742	3333	192.168.2.5	146.59.154.106
Dec 18, 2024 11:28:35.228977919 CET	3333	49742	146.59.154.106	192.168.2.5
Dec 18, 2024 11:28:40.989547014 CET	49766	3333	192.168.2.5	146.59.154.106
Dec 18, 2024 11:28:41.109438896 CET	3333	49766	146.59.154.106	192.168.2.5
Dec 18, 2024 11:28:41.109534025 CET	49766	3333	192.168.2.5	146.59.154.106
Dec 18, 2024 11:28:41.109719038 CET	49766	3333	192.168.2.5	146.59.154.106
Dec 18, 2024 11:28:41.229219913 CET	3333	49766	146.59.154.106	192.168.2.5
Dec 18, 2024 11:28:43.268759966 CET	3333	49766	146.59.154.106	192.168.2.5
Dec 18, 2024 11:28:43.268974066 CET	49766	3333	192.168.2.5	146.59.154.106
Dec 18, 2024 11:28:43.269095898 CET	49766	3333	192.168.2.5	146.59.154.106
Dec 18, 2024 11:28:43.388715029 CET	3333	49766	146.59.154.106	192.168.2.5
Dec 18, 2024 11:28:49.080518961 CET	49787	3333	192.168.2.5	162.19.224.121
Dec 18, 2024 11:28:49.202934980 CET	3333	49787	162.19.224.121	192.168.2.5
Dec 18, 2024 11:28:49.203059912 CET	49787	3333	192.168.2.5	162.19.224.121
Dec 18, 2024 11:28:49.203342915 CET	49787	3333	192.168.2.5	162.19.224.121
Dec 18, 2024 11:28:49.323105097 CET	3333	49787	162.19.224.121	192.168.2.5
Dec 18, 2024 11:28:51.375543118 CET	3333	49787	162.19.224.121	192.168.2.5
Dec 18, 2024 11:28:51.375623941 CET	49787	3333	192.168.2.5	162.19.224.121
Dec 18, 2024 11:28:51.375798941 CET	49787	3333	192.168.2.5	162.19.224.121
Dec 18, 2024 11:28:51.495307922 CET	3333	49787	162.19.224.121	192.168.2.5
Dec 18, 2024 11:28:57.128978014 CET	49806	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:28:57.248472929 CET	3333	49806	141.94.23.83	192.168.2.5
Dec 18, 2024 11:28:57.248590946 CET	49806	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:28:57.248740911 CET	49806	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:28:57.368267059 CET	3333	49806	141.94.23.83	192.168.2.5
Dec 18, 2024 11:28:59.407210112 CET	3333	49806	141.94.23.83	192.168.2.5
Dec 18, 2024 11:28:59.407331944 CET	49806	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:28:59.409065962 CET	49806	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:28:59.528644085 CET	3333	49806	141.94.23.83	192.168.2.5
Dec 18, 2024 11:29:05.347757101 CET	49826	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:29:05.467638016 CET	3333	49826	141.94.23.83	192.168.2.5
Dec 18, 2024 11:29:05.467741013 CET	49826	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:29:05.467916965 CET	49826	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:29:05.587404966 CET	3333	49826	141.94.23.83	192.168.2.5
Dec 18, 2024 11:29:07.619970083 CET	3333	49826	141.94.23.83	192.168.2.5
Dec 18, 2024 11:29:07.620110035 CET	49826	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:29:07.620250940 CET	49826	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:29:07.804224014 CET	3333	49826	141.94.23.83	192.168.2.5
Dec 18, 2024 11:29:13.424288988 CET	49846	3333	192.168.2.5	163.172.154.142
Dec 18, 2024 11:29:13.545331955 CET	3333	49846	163.172.154.142	192.168.2.5
Dec 18, 2024 11:29:13.547019005 CET	49846	3333	192.168.2.5	163.172.154.142
Dec 18, 2024 11:29:13.547182083 CET	49846	3333	192.168.2.5	163.172.154.142
Dec 18, 2024 11:29:13.667202950 CET	3333	49846	163.172.154.142	192.168.2.5
Dec 18, 2024 11:29:15.705348969 CET	3333	49846	163.172.154.142	192.168.2.5
Dec 18, 2024 11:29:15.705461979 CET	49846	3333	192.168.2.5	163.172.154.142
Dec 18, 2024 11:29:15.705596924 CET	49846	3333	192.168.2.5	163.172.154.142
Dec 18, 2024 11:29:15.825015068 CET	3333	49846	163.172.154.142	192.168.2.5
Dec 18, 2024 11:29:21.580427885 CET	49866	3333	192.168.2.5	51.15.58.224
Dec 18, 2024 11:29:21.700124979 CET	3333	49866	51.15.58.224	192.168.2.5
Dec 18, 2024 11:29:21.700375080 CET	49866	3333	192.168.2.5	51.15.58.224
Dec 18, 2024 11:29:21.700542927 CET	49866	3333	192.168.2.5	51.15.58.224
Dec 18, 2024 11:29:21.820127010 CET	3333	49866	51.15.58.224	192.168.2.5
Dec 18, 2024 11:29:23.824852943 CET	3333	49866	51.15.58.224	192.168.2.5
Dec 18, 2024 11:29:23.824970007 CET	49866	3333	192.168.2.5	51.15.58.224
Dec 18, 2024 11:29:23.825160980 CET	49866	3333	192.168.2.5	51.15.58.224
Dec 18, 2024 11:29:23.945516109 CET	3333	49866	51.15.58.224	192.168.2.5
Dec 18, 2024 11:29:29.613317013 CET	49885	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:29.733366966 CET	3333	49885	54.37.137.114	192.168.2.5
Dec 18, 2024 11:29:29.733478069 CET	49885	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:29.733654022 CET	49885	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:29.855854034 CET	3333	49885	54.37.137.114	192.168.2.5
Dec 18, 2024 11:29:31.939951897 CET	3333	49885	54.37.137.114	192.168.2.5
Dec 18, 2024 11:29:31.940125942 CET	49885	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:31.940291882 CET	49885	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:32.059714079 CET	3333	49885	54.37.137.114	192.168.2.5
Dec 18, 2024 11:29:37.705380917 CET	49908	3333	192.168.2.5	51.15.65.182
Dec 18, 2024 11:29:37.824955940 CET	3333	49908	51.15.65.182	192.168.2.5
Dec 18, 2024 11:29:37.825047970 CET	49908	3333	192.168.2.5	51.15.65.182
Dec 18, 2024 11:29:37.825205088 CET	49908	3333	192.168.2.5	51.15.65.182
Dec 18, 2024 11:29:37.944655895 CET	3333	49908	51.15.65.182	192.168.2.5
Dec 18, 2024 11:29:39.966728926 CET	3333	49908	51.15.65.182	192.168.2.5
Dec 18, 2024 11:29:39.966882944 CET	49908	3333	192.168.2.5	51.15.65.182
Dec 18, 2024 11:29:39.967016935 CET	49908	3333	192.168.2.5	51.15.65.182
Dec 18, 2024 11:29:40.086484909 CET	3333	49908	51.15.65.182	192.168.2.5
Dec 18, 2024 11:29:45.768341064 CET	49927	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:45.887878895 CET	3333	49927	54.37.137.114	192.168.2.5
Dec 18, 2024 11:29:45.887970924 CET	49927	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:45.888165951 CET	49927	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:46.007930994 CET	3333	49927	54.37.137.114	192.168.2.5
Dec 18, 2024 11:29:48.076984882 CET	3333	49927	54.37.137.114	192.168.2.5
Dec 18, 2024 11:29:48.077157021 CET	49927	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:48.077445030 CET	49927	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:48.196959972 CET	3333	49927	54.37.137.114	192.168.2.5
Dec 18, 2024 11:29:53.862756968 CET	49944	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:53.982301950 CET	3333	49944	54.37.137.114	192.168.2.5
Dec 18, 2024 11:29:53.982414961 CET	49944	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:53.982604980 CET	49944	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:54.102477074 CET	3333	49944	54.37.137.114	192.168.2.5
Dec 18, 2024 11:29:56.192370892 CET	3333	49944	54.37.137.114	192.168.2.5
Dec 18, 2024 11:29:56.192471027 CET	49944	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:56.194303989 CET	49944	3333	192.168.2.5	54.37.137.114
Dec 18, 2024 11:29:56.314747095 CET	3333	49944	54.37.137.114	192.168.2.5
Dec 18, 2024 11:30:01.931411028 CET	49966	3333	192.168.2.5	51.89.23.91
Dec 18, 2024 11:30:02.051003933 CET	3333	49966	51.89.23.91	192.168.2.5
Dec 18, 2024 11:30:02.051100969 CET	49966	3333	192.168.2.5	51.89.23.91
Dec 18, 2024 11:30:02.051332951 CET	49966	3333	192.168.2.5	51.89.23.91
Dec 18, 2024 11:30:02.170804024 CET	3333	49966	51.89.23.91	192.168.2.5
Dec 18, 2024 11:30:04.416804075 CET	3333	49966	51.89.23.91	192.168.2.5
Dec 18, 2024 11:30:04.418030024 CET	49966	3333	192.168.2.5	51.89.23.91
Dec 18, 2024 11:30:04.418246031 CET	49966	3333	192.168.2.5	51.89.23.91
Dec 18, 2024 11:30:04.538065910 CET	3333	49966	51.89.23.91	192.168.2.5
Dec 18, 2024 11:30:10.018007994 CET	49986	3333	192.168.2.5	51.15.65.182
Dec 18, 2024 11:30:10.137492895 CET	3333	49986	51.15.65.182	192.168.2.5
Dec 18, 2024 11:30:10.137715101 CET	49986	3333	192.168.2.5	51.15.65.182
Dec 18, 2024 11:30:10.137860060 CET	49986	3333	192.168.2.5	51.15.65.182
Dec 18, 2024 11:30:10.257277966 CET	3333	49986	51.15.65.182	192.168.2.5
Dec 18, 2024 11:30:12.263906956 CET	3333	49986	51.15.65.182	192.168.2.5
Dec 18, 2024 11:30:12.264055967 CET	49986	3333	192.168.2.5	51.15.65.182
Dec 18, 2024 11:30:12.264348984 CET	49986	3333	192.168.2.5	51.15.65.182
Dec 18, 2024 11:30:12.383960962 CET	3333	49986	51.15.65.182	192.168.2.5
Dec 18, 2024 11:30:18.196316957 CET	50004	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:30:18.316122055 CET	3333	50004	141.94.23.83	192.168.2.5
Dec 18, 2024 11:30:18.316293001 CET	50004	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:30:18.323472023 CET	50004	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:30:18.443030119 CET	3333	50004	141.94.23.83	192.168.2.5
Dec 18, 2024 11:30:20.468740940 CET	3333	50004	141.94.23.83	192.168.2.5
Dec 18, 2024 11:30:20.468877077 CET	50004	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:30:20.469016075 CET	50004	3333	192.168.2.5	141.94.23.83
Dec 18, 2024 11:30:20.588473082 CET	3333	50004	141.94.23.83	192.168.2.5
Dec 18, 2024 11:30:26.268053055 CET	50014	3333	192.168.2.5	54.37.232.103
Dec 18, 2024 11:30:26.387736082 CET	3333	50014	54.37.232.103	192.168.2.5
Dec 18, 2024 11:30:26.387926102 CET	50014	3333	192.168.2.5	54.37.232.103
Dec 18, 2024 11:30:26.388123989 CET	50014	3333	192.168.2.5	54.37.232.103
Dec 18, 2024 11:30:26.507678986 CET	3333	50014	54.37.232.103	192.168.2.5
Dec 18, 2024 11:30:28.582520008 CET	3333	50014	54.37.232.103	192.168.2.5
Dec 18, 2024 11:30:28.582581997 CET	50014	3333	192.168.2.5	54.37.232.103

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 11:28:24.764087915 CET	63959	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:28:25.125106096 CET	53	63959	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 11:28:24.764087915 CET	192.168.2.5	1.1.1.1	0xe049	Standard query (0)	xmr-eu1.nanopool.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 11:28:25.125106096 CET	1.1.1.1	192.168.2.5	0xe049	No error (0)	xmr-eu1.nanopool.org	51.89.23.91	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:28:25.125106096 CET	1.1.1.1	192.168.2.5	0xe049	No error (0)	xmr-eu1.nanopool.org	51.15.58.224	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:28:25.125106096 CET	1.1.1.1	192.168.2.5	0xe049	No error (0)	xmr-eu1.nanopool.org	51.15.65.182	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:28:25.125106096 CET	1.1.1.1	192.168.2.5	0xe049	No error (0)	xmr-eu1.nanopool.org	146.59.154.106	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:28:25.125106096 CET	1.1.1.1	192.168.2.5	0xe049	No error (0)	xmr-eu1.nanopool.org	54.37.137.114	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:28:25.125106096 CET	1.1.1.1	192.168.2.5	0xe049	No error (0)	xmr-eu1.nanopool.org	162.19.224.121	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:28:25.125106096 CET	1.1.1.1	192.168.2.5	0xe049	No error (0)	xmr-eu1.nanopool.org	141.94.23.83	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:28:25.125106096 CET	1.1.1.1	192.168.2.5	0xe049	No error (0)	xmr-eu1.nanopool.org	51.15.193.130	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:28:25.125106096 CET	1.1.1.1	192.168.2.5	0xe049	No error (0)	xmr-eu1.nanopool.org	163.172.154.142	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:28:25.125106096 CET	1.1.1.1	192.168.2.5	0xe049	No error (0)	xmr-eu1.nanopool.org	212.47.253.124	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:28:25.125106096 CET	1.1.1.1	192.168.2.5	0xe049	No error (0)	xmr-eu1.nanopool.org	54.37.232.103	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:28:20
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\gaozw40v.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\gaozw40v.exe"
Imagebase:	0x7ff77cad0000
File size:	5'217'792 bytes
MD5 hash:	7D8F7B0C924A228C2CA81D3959D0B604
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:28:23
Start date:	18/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe delete "YIFRWLJF"
Imagebase:	0x7ff6edb60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:28:23
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:28:23
Start date:	18/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe create "YIFRWLJF" binpath= "C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe" start= "auto"
Imagebase:	0x7ff6edb60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:28:23
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:28:23
Start date:	18/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop eventlog
Imagebase:	0x7ff6edb60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:28:23
Start date:	18/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe start "YIFRWLJF"
Imagebase:	0x7ff6edb60000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:28:23
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:28:23
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:28:23
Start date:	18/12/2024
Path:	C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe
Imagebase:	0x7ff6df310000
File size:	5'217'792 bytes
MD5 hash:	7D8F7B0C924A228C2CA81D3959D0B604
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:28:23
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	05:28:23
Start date:	18/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	svchost.exe
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.3472128312.000001E47DAAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.3472012814.000001E47DA7F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000003.2246899263.000001E47DA6A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.3471843342.000001E47DA2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.3471843342.000001E47DA5D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.3471952842.000001E47DA6A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.3472055453.000001E47DA9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.3470703556.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000C.00000002.3470703556.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF77CAD1140 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2242913345.00007FF77CAD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77CAD0000, based on PE: true

Associated: 00000000.00000002.2242895870.00007FF77CAD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2242973430.00007FF77CAD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2243004358.00007FF77CADB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2243103457.00007FF77CADC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2244318738.00007FF77CFCA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2244348493.00007FF77CFCC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77cad0000_gaozw40v.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148bc54084fd0555b90557d8aca2c4c7d702f0134a9b5dfb6096d90e54c66531
Instruction ID: 985caae14c43c67b1315aba814fa0c230cf21e40051356b348ea812de830f96c
Opcode Fuzzy Hash: 148bc54084fd0555b90557d8aca2c4c7d702f0134a9b5dfb6096d90e54c66531
Instruction Fuzzy Hash: A8B0922293420A84E3003B61B841B5862606B0D742FC24020D60C0235ACE6E90608B20

Analysis Process: bbwduuyjdzsp.exePID: 5784, Parent PID: 632COMMON

Executed Functions

Function 00007FF6DF311140 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2246555690.00007FF6DF311000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6DF310000, based on PE: true

Associated: 0000000A.00000002.2246535934.00007FF6DF310000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2246572920.00007FF6DF319000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2246593762.00007FF6DF31B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2246769484.00007FF6DF594000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2246971762.00007FF6DF80A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2246992593.00007FF6DF80C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff6df310000_bbwduuyjdzsp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148bc54084fd0555b90557d8aca2c4c7d702f0134a9b5dfb6096d90e54c66531
Instruction ID: bf6d3b478dc0cf953f4f959f8316277426b7814e095162a04c1ab54e6787cb85
Opcode Fuzzy Hash: 148bc54084fd0555b90557d8aca2c4c7d702f0134a9b5dfb6096d90e54c66531
Instruction Fuzzy Hash: A6B0922091520984E2006F01D84129C33706B08740F430032C40C4A352CEAD90608B90

Analysis Process: conhost.exePID: 2296, Parent PID: 5784COMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.9%
Total number of Nodes:	874
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7

Memory Dump Source

Source File: 0000000B.00000002.3470713880.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.3470681303.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470737881.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470764140.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470785399.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6d4fff4f0636360548835e426a66e6c26faa011563a7036800c6f4553e093b6f
Instruction ID: b4b53409b5b9caf20bc1681aa1e55ebc5b6c245dd35e69454cc8fc6114bca2fb
Opcode Fuzzy Hash: 6d4fff4f0636360548835e426a66e6c26faa011563a7036800c6f4553e093b6f
Instruction Fuzzy Hash: 94F0AFB2608B408AEA16DF62F85179A77A1F38D7C0F009919BBC857735DB3CC190CB80

Non-executed Functions

Function 0000000140003240 Relevance: 147.2, APIs: 59, Strings: 24, Instructions: 1969COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0000000140003386
memset.MSVCRT ref: 00000001400034B2
wcslen.MSVCRT ref: 000000014000351B
_wcsnicmp.MSVCRT ref: 0000000140003549
wcslen.MSVCRT ref: 0000000140003559
wcscpy.MSVCRT ref: 000000014000363E
wcscat.MSVCRT ref: 000000014000364D
memset.MSVCRT ref: 000000014000365E
wcscpy.MSVCRT ref: 00000001400036C1
wcscat.MSVCRT ref: 00000001400036D0
memset.MSVCRT ref: 00000001400036E4

Strings

PROGRAMDATA=, xrefs: 0000000140003851, 0000000140005FBD
\BaseNamedObjects\aykenetfietvhauiedqvbcsk, xrefs: 0000000140004EC8
\reg.exe, xrefs: 0000000140003AB5
Start, xrefs: 00000001400057D6
ATI, xrefs: 0000000140004303
SYSTEMROOT=, xrefs: 0000000140003514, 000000014000352D
\BaseNamedObjects\pvssxmkbqrcvtci, xrefs: 000000014000337C
\BaseNamedObjects\awuawmcedliivtwf, xrefs: 00000001400048DD
ImagePath, xrefs: 0000000140004D4A
\??\, xrefs: 00000001400044AE
\sc.exe, xrefs: 0000000140003B2B
Advanced Micro Devices, xrefs: 00000001400040CA
\WindowsPowerShell\v1.0\powershell.exe, xrefs: 0000000140003814
\??\, xrefs: 00000001400046FF
NVIDIA, xrefs: 000000014000425B
, xrefs: 0000000140005694
\System32, xrefs: 0000000140003643
\Registry\Machine\SYSTEM\CurrentControlSet\Services\YIFRWLJF, xrefs: 0000000140004C5D
ProviderName, xrefs: 0000000140003D4F
AMD, xrefs: 00000001400042AF
\cmd.exe, xrefs: 00000001400036C6
\gaeucrwzinlx\bbwduuyjdzsp.exe, xrefs: 0000000140003A2C
, xrefs: 0000000140004542
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\, xrefs: 0000000140003CA5, 0000000140005EA3

Memory Dump Source

Source File: 0000000B.00000002.3470713880.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.3470681303.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470737881.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470764140.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470785399.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: memsetwcslen$wcscatwcscpy$_wcsnicmp
String ID: $ $AMD$ATI$Advanced Micro Devices$ImagePath$NVIDIA$PROGRAMDATA=$ProviderName$SYSTEMROOT=$Start$\??\$\??\$\BaseNamedObjects\awuawmcedliivtwf$\BaseNamedObjects\aykenetfietvhauiedqvbcsk$\BaseNamedObjects\pvssxmkbqrcvtci$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\$\Registry\Machine\SYSTEM\CurrentControlSet\Services\YIFRWLJF$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\gaeucrwzinlx\bbwduuyjdzsp.exe$\reg.exe$\sc.exe
API String ID: 3506639089-795083485
Opcode ID: d9a518b07f3ffe7339c1e08112a2e74c0657f2c08badb016cc1be291764c324f
Instruction ID: f26be8c31048067a47ae6bba0116aa526cdd299a0b1bb898cbf3be121507f01e
Opcode Fuzzy Hash: d9a518b07f3ffe7339c1e08112a2e74c0657f2c08badb016cc1be291764c324f
Instruction Fuzzy Hash: 304339F1928AC198F723CF3AB8457E563A0BB9D3C8F445215FB84676B6EB794285C304

Function 00000001400027D0 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0000000140002810
wcsncmp.MSVCRT ref: 00000001400029E4
memset.MSVCRT ref: 0000000140002AAC
wcscpy.MSVCRT ref: 0000000140002B15
wcscat.MSVCRT ref: 0000000140002B20
wcslen.MSVCRT ref: 0000000140002B28
wcslen.MSVCRT ref: 0000000140002B40
wcslen.MSVCRT ref: 0000000140002BA0
wcslen.MSVCRT ref: 0000000140002BF2

Strings

0, xrefs: 00000001400029E9
X, xrefs: 0000000140002D83
`, xrefs: 0000000140002D9B

Memory Dump Source

Source File: 0000000B.00000002.3470713880.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.3470681303.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470737881.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470764140.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470785399.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: wcslen$memset$wcscatwcscpywcsncmp
String ID: 0$X$`
API String ID: 780471329-2527496196
Opcode ID: fa0949febd685cafa98e2be44fb2961ab7763317695127e40d645afb1908f4ae
Instruction ID: 223c386af4c6cede7997c2b4004b74b64a2a6f4e2e9e73f612179fe0249af5ff
Opcode Fuzzy Hash: fa0949febd685cafa98e2be44fb2961ab7763317695127e40d645afb1908f4ae
Instruction Fuzzy Hash: 32125CB2618BC081E762CB26F8443EAB7A4F789794F418215EBA957BF5DF78C185C700

Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,0000000140001156), ref: 00000001400011A5
_amsg_exit.MSVCRT(?,?,?,0000000140001156), ref: 00000001400011CC
_initterm.MSVCRT ref: 000000014000120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,0000000140001156), ref: 000000014000124E
malloc.MSVCRT ref: 000000014000127E
strlen.MSVCRT ref: 00000001400012A4
malloc.MSVCRT ref: 00000001400012B0
memcpy.MSVCRT ref: 00000001400012C3
_cexit.MSVCRT(?,?,?,0000000140001156), ref: 000000014000132D

Memory Dump Source

Source File: 0000000B.00000002.3470713880.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.3470681303.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470737881.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470764140.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470785399.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: 00ee6e837146bd489c88704931ce19aa72437a8b77d852cf8ed99c68c9d05ab7
Instruction ID: 0173254e85a564e61a8a3a49c9588f941871670b928fd4741c3c0de9de8a0377
Opcode Fuzzy Hash: 00ee6e837146bd489c88704931ce19aa72437a8b77d852cf8ed99c68c9d05ab7
Instruction Fuzzy Hash: 485123B1A11A4085FB17EF27F9947EA27A1BB8CBD0F449525FB4D873B2DE3884958300

Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32(?,?,?,?,0000000140007D10,0000000140007D10,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
VirtualProtect.KERNEL32(?,?,?,?,0000000140007D10,0000000140007D10,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
memcpy.MSVCRT ref: 0000000140001CE0
GetLastError.KERNEL32(?,?,?,?,0000000140007D10,0000000140007D10,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 0000000140001D17
VirtualProtect failed with code 0x%x, xrefs: 0000000140001D29
Address %p has no image-section, xrefs: 0000000140001CF4

Memory Dump Source

Source File: 0000000B.00000002.3470713880.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.3470681303.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470737881.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470764140.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470785399.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: 08a4fb3c40eb33e143ef2651e418b50ecb5cabd22ef0b0973af0b9c293e4ae1b
Instruction ID: 751906d091fa14ff0efb857b6c813c317fb8e343e432a46088fbb53140f1b998
Opcode Fuzzy Hash: 08a4fb3c40eb33e143ef2651e418b50ecb5cabd22ef0b0973af0b9c293e4ae1b
Instruction Fuzzy Hash: 2F4132B1601A4486FA66DF57F884BE927A0F78DBC4F558126EF0E877B1DA38C586C700

Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002118
TlsGetValue.KERNEL32 ref: 000000014000214F
GetLastError.KERNEL32 ref: 0000000140002154
LeaveCriticalSection.KERNEL32 ref: 0000000140002212
free.MSVCRT ref: 0000000140002234
DeleteCriticalSection.KERNEL32 ref: 000000014000225D

Memory Dump Source

Source File: 0000000B.00000002.3470713880.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.3470681303.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470737881.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470764140.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470785399.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
String ID:
API String ID: 3326252324-0
Opcode ID: 9c3b77ec014d946f9dca45579bf9e30517932c2843f888583e98af01a20e4142
Instruction ID: 46b5d230fc2b0f932c56c437f213ba7c7b06192ad6389750f930ed4934a82883
Opcode Fuzzy Hash: 9c3b77ec014d946f9dca45579bf9e30517932c2843f888583e98af01a20e4142
Instruction Fuzzy Hash: A82106B0305A0192FA6BDB53F9483E82360B76CBD0F448021FF5A57AB4DB79C99AC300

Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CCG , xrefs: 0000000140001E27

Memory Dump Source

Source File: 0000000B.00000002.3470713880.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.3470681303.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470737881.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470764140.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470785399.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: 2ee7765771917cc1e7a6703dd5563b6ac32175726b58398eea8052f892d614bf
Instruction ID: 0a00241136535d3b52d22db13b9c7761d843df79eb238cc29e11414bea2eec26
Opcode Fuzzy Hash: 2ee7765771917cc1e7a6703dd5563b6ac32175726b58398eea8052f892d614bf
Instruction Fuzzy Hash: E2213AB1B0150642FA7BDA2BB5903F91192ABCD7E4F258535FF19473F5DE3988C28241

Function 0000000140006360 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0000000140006477

Strings

[(*, xrefs: 0000000140006542
\BaseNamedObjects\pvssxmkbqrcvtci, xrefs: 0000000140006368
[(*, xrefs: 0000000140006502

Memory Dump Source

Source File: 0000000B.00000002.3470713880.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.3470681303.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470737881.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470764140.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470785399.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: malloc
String ID: [(*$[(*$\BaseNamedObjects\pvssxmkbqrcvtci
API String ID: 2803490479-1032902934
Opcode ID: db1c26535deb65ae80ce79aee487d7b407b19cf237265c2a07583dc6a3fc95f9
Instruction ID: 424e7a59ebe1615b7fe3485060f4d17ead1062e9c8fc3045ad1449ee2b9d2653
Opcode Fuzzy Hash: db1c26535deb65ae80ce79aee487d7b407b19cf237265c2a07583dc6a3fc95f9
Instruction Fuzzy Hash: DB717376701A508BE75AEF26A9007AB3792F34CBCCF084214FF5A677A5DB34D9418780

Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9

Strings

Unknown pseudo relocation bit size %d., xrefs: 0000000140001B7B
Unknown pseudo relocation protocol version %d., xrefs: 0000000140001B8B

Memory Dump Source

Source File: 0000000B.00000002.3470713880.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.3470681303.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470737881.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470764140.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470785399.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 35ec991b1c12168db313a247811e48783c92f0d1e86d3aa55fc3b18a7711a773
Instruction ID: 2caf5101b25886cffd00800b2ee1a3370be2bd5e93e1d7107dd9e500e5e7ade1
Opcode Fuzzy Hash: 35ec991b1c12168db313a247811e48783c92f0d1e86d3aa55fc3b18a7711a773
Instruction Fuzzy Hash: A75115B6B11544DAEB12CF67F840BD82761A759BE8F548211FB1D077B4DB38C586C700

Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 000000014000185A

Strings

Unknown error, xrefs: 0000000140001824
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 000000014000184D

Memory Dump Source

Source File: 0000000B.00000002.3470713880.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.3470681303.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470737881.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470764140.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470785399.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 36bdff08e25d259c42df08d3246086c4ee55e357327d5b22ec33dcc9a787f794
Instruction ID: 9e64e005596143b676571c010edaf991f7d5a4fc6d50f808c59f373a30438413
Opcode Fuzzy Hash: 36bdff08e25d259c42df08d3246086c4ee55e357327d5b22ec33dcc9a787f794
Instruction Fuzzy Hash: BEF0F671A04A4482E212DF2AB9413ED6360E74D3C0F40D211FF4D632A1DF3CD182C310

Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400021B2
TlsGetValue.KERNEL32 ref: 00000001400021EB
GetLastError.KERNEL32 ref: 00000001400021F0
LeaveCriticalSection.KERNEL32 ref: 000000014000226C

Memory Dump Source

Source File: 0000000B.00000002.3470713880.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000000B.00000002.3470681303.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470737881.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470764140.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.3470785399.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_140000000_conhost.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 6e1952d39ecea9d1036a06d8855d564b5ea3ad6eb30e26c1b64b93bbe724e764
Instruction ID: f1456eb7145c119eb9572c0d0cf9fb36c6aa53a9c677d15a11b83bfce31ee7c9
Opcode Fuzzy Hash: 6e1952d39ecea9d1036a06d8855d564b5ea3ad6eb30e26c1b64b93bbe724e764
Instruction Fuzzy Hash: 9201B6B5305A0192FA57DB53FD083D86360B76CBD1F454021EF0957AB4DB79C999C300

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gaozw40v.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\gaeucrwzinlx\bbwduuyjdzsp.exe

C:\Windows\Temp\hvorgvhbwgxh.sys

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
gaozw40v.exe

Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24
filenativeCOMMON

Function 00000001400027D0 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 376
COMMON

Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
memoryCOMMON

Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMON

Function 0000000140006360 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 185
COMMON