Create Interactive Tour

Windows Analysis Report
dllhostex.exe

Overview

General Information

Sample Name:	dllhostex.exe
Analysis ID:	628106
MD5:	45b339245e786106594aceb23d934b4c
SHA1:	80867452d0d8450c122f8613b5c3a7f2d17c9f55
SHA256:	9d7f5355ba13edcb47e83d86da5afb2835b35b4543b20454896a14fff534416b
Infos:

Detection

Xmrig

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Malicious sample detected (through community Yara rule)

Found strings related to Crypto-Mining

Machine Learning detection for sample

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

dllhostex.exe (PID: 6812 cmdline: "C:\Users\user\Desktop\dllhostex.exe" MD5: 45B339245E786106594ACEB23D934B4C)

conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
dllhostex.exe	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x18b938:$sa1: stratum+tcp://
dllhostex.exe	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x18e222:$s05: --nicehash 0x1bb4cb:$s05: --nicehash
dllhostex.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x18e081:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x18b670:$s1: [%s] login error code: %d
dllhostex.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
dllhostex.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x18e258:$s1: %s/%s (Windows NT %lu.%lu 0x18b390:$s4: pool_wallet 0x18e408:$s5: cryptonight 0x18e418:$s5: cryptonight 0x190630:$s5: cryptonight 0x190640:$s5: cryptonight 0x190650:$s5: cryptonight 0x190660:$s5: cryptonight 0x190678:$s5: cryptonight 0x190690:$s5: cryptonight 0x1906a0:$s5: cryptonight 0x1906b0:$s5: cryptonight 0x1906c0:$s5: cryptonight 0x1906e8:$s5: cryptonight 0x1906f8:$s5: cryptonight 0x190718:$s5: cryptonight 0x190728:$s5: cryptonight 0x190738:$s5: cryptonight 0x190748:$s5: cryptonight 0x190760:$s5: cryptonight 0x190780:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.614601781.00007FF69D43B000.00000004.00000001.01000000.00000003.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x16cb:$s05: --nicehash
00000000.00000002.614564647.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1a538:$sa1: stratum+tcp://
00000000.00000002.614564647.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x1ce22:$s05: --nicehash
00000000.00000002.614564647.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000000.347525830.00007FF69D43B000.00000008.00000001.01000000.00000003.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x16cb:$s05: --nicehash
00000000.00000000.347436841.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1a538:$sa1: stratum+tcp://
00000000.00000000.347436841.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x1ce22:$s05: --nicehash
00000000.00000000.347436841.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: dllhostex.exe PID: 6812	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x11b87:$sa1: stratum+tcp:// 0x11bc9:$sa1: stratum+tcp:// 0x25ecd:$sa1: stratum+tcp:// 0x25f0f:$sa1: stratum+tcp://
Process Memory Space: dllhostex.exe PID: 6812	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x134c3:$s05: --nicehash 0x13663:$s05: --nicehash 0x18937:$s05: --nicehash 0x1a1cb:$s05: --nicehash 0x1a8c7:$s05: --nicehash 0x27809:$s05: --nicehash 0x279a9:$s05: --nicehash 0x2d9c3:$s05: --nicehash 0x2d9ce:$s05: --nicehash 0x33f7b:$s05: --nicehash 0x34677:$s05: --nicehash
Process Memory Space: dllhostex.exe PID: 6812	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.dllhostex.exe.7ff69d280000.0.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x18b938:$sa1: stratum+tcp://
0.2.dllhostex.exe.7ff69d280000.0.unpack	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x18e222:$s05: --nicehash 0x1bb4cb:$s05: --nicehash
0.2.dllhostex.exe.7ff69d280000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x18e081:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x18b670:$s1: [%s] login error code: %d
0.2.dllhostex.exe.7ff69d280000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.2.dllhostex.exe.7ff69d280000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x18e258:$s1: %s/%s (Windows NT %lu.%lu 0x18b390:$s4: pool_wallet 0x18e408:$s5: cryptonight 0x18e418:$s5: cryptonight 0x190630:$s5: cryptonight 0x190640:$s5: cryptonight 0x190650:$s5: cryptonight 0x190660:$s5: cryptonight 0x190678:$s5: cryptonight 0x190690:$s5: cryptonight 0x1906a0:$s5: cryptonight 0x1906b0:$s5: cryptonight 0x1906c0:$s5: cryptonight 0x1906e8:$s5: cryptonight 0x1906f8:$s5: cryptonight 0x190718:$s5: cryptonight 0x190728:$s5: cryptonight 0x190738:$s5: cryptonight 0x190748:$s5: cryptonight 0x190760:$s5: cryptonight 0x190780:$s5: cryptonight
0.0.dllhostex.exe.7ff69d280000.0.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x18b938:$sa1: stratum+tcp://
0.0.dllhostex.exe.7ff69d280000.0.unpack	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x18e222:$s05: --nicehash 0x1bb4cb:$s05: --nicehash
0.0.dllhostex.exe.7ff69d280000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x18e081:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x18b670:$s1: [%s] login error code: %d
0.0.dllhostex.exe.7ff69d280000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.0.dllhostex.exe.7ff69d280000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x18e258:$s1: %s/%s (Windows NT %lu.%lu 0x18b390:$s4: pool_wallet 0x18e408:$s5: cryptonight 0x18e418:$s5: cryptonight 0x190630:$s5: cryptonight 0x190640:$s5: cryptonight 0x190650:$s5: cryptonight 0x190660:$s5: cryptonight 0x190678:$s5: cryptonight 0x190690:$s5: cryptonight 0x1906a0:$s5: cryptonight 0x1906b0:$s5: cryptonight 0x1906c0:$s5: cryptonight 0x1906e8:$s5: cryptonight 0x1906f8:$s5: cryptonight 0x190718:$s5: cryptonight 0x190728:$s5: cryptonight 0x190738:$s5: cryptonight 0x190748:$s5: cryptonight 0x190760:$s5: cryptonight 0x190780:$s5: cryptonight
Click to see the 5 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Bitcoin Miner
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: dllhostex.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: dllhostex.exe	Metadefender: Detection: 59%			Perma Link
Source: dllhostex.exe	ReversingLabs: Detection: 80%

Machine Learning detection for sample

Source: dllhostex.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dllhostex.exe, type: SAMPLE
Source: Yara match	File source: 0.2.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.614564647.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.347436841.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dllhostex.exe PID: 6812, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: dllhostex.exe, 00000000.00000000.347436841.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: stratum+tcp://
Source: dllhostex.exe, 00000000.00000000.347436841.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: cryptonight/1
Source: dllhostex.exe, 00000000.00000000.347436841.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: stratum+tcp://

Source: dllhostex.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443

Source: unknown

DNS traffic detected: queries for: rim.miniast.com

System Summary

Malicious sample detected (through community Yara rule)

Source: dllhostex.exe, type: SAMPLE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: dllhostex.exe, type: SAMPLE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0.2.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.2.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0.0.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.0.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen

Source: dllhostex.exe, type: SAMPLE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: dllhostex.exe, type: SAMPLE	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: dllhostex.exe, type: SAMPLE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: dllhostex.exe, type: SAMPLE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0.2.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 0.2.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0.2.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0.2.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0.0.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 0.0.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0.0.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0.0.dllhostex.exe.7ff69d280000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000000.00000002.614601781.00007FF69D43B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000000.00000002.614564647.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000000.00000002.614564647.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000000.00000000.347525830.00007FF69D43B000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000000.00000000.347436841.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000000.00000000.347436841.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: dllhostex.exe PID: 6812, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: dllhostex.exe PID: 6812, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =

Source: dllhostex.exe	Metadefender: Detection: 59%
Source: dllhostex.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\dllhostex.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dllhostex.exe "C:\Users\user\Desktop\dllhostex.exe"
Source: C:\Users\user\Desktop\dllhostex.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\dllhostex.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B8A7AE22-7F59-CDE5-71F9C2A}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_01
Source: C:\Users\user\Desktop\dllhostex.exe	Mutant created: \Sessions\1\BaseNamedObjects\{FA4C20F1-97FC-ED6B-0B488E9}

Source: dllhostex.exe	String found in binary or memory: --help
Source: dllhostex.exe	String found in binary or memory: --help
Source: dllhostex.exe	String found in binary or memory: http-no-restrictediddaemon-poll-intervalself-selectidbackgroundjobcpu-affinitycpu-prioritydonate-leveldonate-over-proxydaemoniddry-runkeepalivecolorsjoblog-filepools--helpjobnicehash2.0.4job_idtlsno-colornonceresulturlno-huge-pagespassprint-timexretriesretry-pausexthreadsuseruser-agentmuserpasssubmitmmax-cpu-usagecpu-max-threads-hintcpu-memory-poolrandomx-initrandomx-no-numaalgocoinhttp%s: unsupported non-option argument '%s'job_id://enableduserpassuserpasstls-fingerprintself-select=log-filetarget@
Source: dllhostex.exe	String found in binary or memory: http-no-restrictediddaemon-poll-intervalself-selectidbackgroundjobcpu-affinitycpu-prioritydonate-leveldonate-over-proxydaemoniddry-runkeepalivecolorsjoblog-filepools--helpjobnicehash2.0.4job_idtlsno-colornonceresulturlno-huge-pagespassprint-timexretriesretry-pausexthreadsuseruser-agentmuserpasssubmitmmax-cpu-usagecpu-max-threads-hintcpu-memory-poolrandomx-initrandomx-no-numaalgocoinhttp%s: unsupported non-option argument '%s'job_id://enableduserpassuserpasstls-fingerprintself-select=log-filetarget@

Source: classification engine

Classification label: mal80.mine.winEXE@2/0@23/4

Source: C:\Users\user\Desktop\dllhostex.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\dllhostex.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: dllhostex.exe

Static file information: File size 1913856 > 1048576

Source: dllhostex.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: dllhostex.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: dllhostex.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x171000

Source: dllhostex.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: dllhostex.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dllhostex.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dllhostex.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dllhostex.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dllhostex.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dllhostex.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dllhostex.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: dllhostex.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: dllhostex.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dllhostex.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dllhostex.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dllhostex.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dllhostex.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: dllhostex.exe	Static PE information: section name: _RANDOMX
Source: dllhostex.exe	Static PE information: section name: _TEXT_CN
Source: dllhostex.exe	Static PE information: section name: _TEXT_CN

Source: C:\Users\user\Desktop\dllhostex.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\dllhostex.exe TID: 4468	Thread sleep count: 79 > 30			Jump to behavior
Source: C:\Users\user\Desktop\dllhostex.exe TID: 4468	Thread sleep time: -79000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\dllhostex.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\dllhostex.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: dllhostex.exe, 00000000.00000002.614148840.0000023249C6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: dllhostex.exe, 00000000.00000002.614148840.0000023249C6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL

Source: C:\Users\user\Desktop\dllhostex.exe

Code function: 0_2_00007FF69D334BF4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF69D334BF4

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dllhostex.exe	59%	Metadefender		Browse
dllhostex.exe	80%	ReversingLabs	Win64.Trojan.MinerXMRig
dllhostex.exe	100%	Avira	HEUR/AGEN.1213073
dllhostex.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.dllhostex.exe.7ff69d280000.0.unpack	100%	Avira	HEUR/AGEN.1213073		Download File
0.2.dllhostex.exe.7ff69d280000.0.unpack	100%	Avira	HEUR/AGEN.1213073		Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wgc.witmone.com	128.199.13.45	true	false		unknown
rim.miniast.com	unknown	unknown	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
128.199.13.45	wgc.witmone.com	United Kingdom	396425	UCCS-UNIVERSITY-OF-COLORADO-COLORADO-SPRINGSUS	false
143.198.40.54	unknown	United States	15557	LDCOMNETFR	false
50.116.24.151	unknown	United States	63949	LINODE-APLinodeLLCUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	628106
Start date and time: 17/05/202210:39:51	2022-05-17 10:39:51 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dllhostex.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.mine.winEXE@2/0@23/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 50%) Quality average: 50% Quality standard deviation: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target dllhostex.exe, PID 6812 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
VT rate limit hit for: dllhostex.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UCCS-UNIVERSITY-OF-COLORADO-COLORADO-SPRINGSUS	xRjjWSOpzT	Get hash	malicious	Browse	128.198.12.9
	YYcy9gLbBC	Get hash	malicious	Browse	128.198.46.200
	2031990c23b02f14927d6e81c767671f030228a52f56f.exe	Get hash	malicious	Browse	128.199.29.128
	4pBotRVtjs.exe	Get hash	malicious	Browse	128.199.29.128
	7PjCt6N7Zo.exe	Get hash	malicious	Browse	128.199.29.128
	x33CSp2DfY.exe	Get hash	malicious	Browse	128.199.29.128
	XGaf4aTBf9.exe	Get hash	malicious	Browse	128.199.29.128
	WlLrviITBK.exe	Get hash	malicious	Browse	128.199.29.128
	a8fAffY502.exe	Get hash	malicious	Browse	128.199.29.128
	323e2c782142c1ccb02e6d28779211eb520317fe73c4a.exe	Get hash	malicious	Browse	128.199.29.128
	K6s3wEt8Ua	Get hash	malicious	Browse	128.198.197.110
	stAlikb7Cy.exe	Get hash	malicious	Browse	128.199.8.104
	One.exe	Get hash	malicious	Browse	128.199.9.173
	dll.dll	Get hash	malicious	Browse	128.199.17.91
	xE08uG0aqO.exe	Get hash	malicious	Browse	128.199.2.90
	(RECEPT)paymra.exe	Get hash	malicious	Browse	128.199.2.90
	mipjWqOenF.exe	Get hash	malicious	Browse	128.199.20.72
	invoice statement.exe	Get hash	malicious	Browse	128.199.2.90
	Document.exe	Get hash	malicious	Browse	128.199.2.90
	doc.exe	Get hash	malicious	Browse	128.199.2.90

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.516420902458902
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dllhostex.exe
File size:	1913856
MD5:	45b339245e786106594aceb23d934b4c
SHA1:	80867452d0d8450c122f8613b5c3a7f2d17c9f55
SHA256:	9d7f5355ba13edcb47e83d86da5afb2835b35b4543b20454896a14fff534416b
SHA512:	534b57598a6625b75f7d2f5b1809a45e22870b029a883b9581e9cbf89aa5a2dc542bbc7932ab6385a57db840f9a2d59e685d0fc5d55b74c1435136f363db06f5
SSDEEP:	49152:x/blD5bZmD2mMsSyC13qhVCzdMMDVTVJVVy9Q5vzt27Xh7IZEvdHJGHPyECPqG:xFmMswqhANDVTVJVVy9Q5vzt27Xh7IZg
TLSH:	91958D5E72A540F4C6ABD578C9178D4EFBB0344A4768A2DF12A046A95F337D18B3EF20
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........!.H.O.H.O.H.O.-.K.P.O.-.L.E.O.-.J...O..*..N.O...J.5.O...K.m.O...L.A.O...K.X.O.-.N.G.O.H.N.a.O...F...O...L.K.O.....I.O.H...I.O

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x1400b4694
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5DE13366 [Fri Nov 29 15:04:06 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4bbc6277cf0fbcf217c523eb79c3890c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F6E0CCE1B3Ch
dec eax
add esp, 28h
jmp 00007F6E0CCE1457h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F6E0CCE15F2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F6E0CCE15F5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F6E0CCE15EDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F6E0CCE08B2h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b8d24	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x466000	0x580	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x453000	0xd17c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x467000	0x2088	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x19b5d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x19b6f0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x19b5f0	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x172000	0x810	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x170f34	0x171000	False	0.415947477346	data	6.53282287313	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x172000	0x48840	0x48a00	False	0.39941238167	data	5.35222760144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1bb000	0x297760	0x6a00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x453000	0xd17c	0xd200	False	0.499107142857	data	6.10264622683	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RANDOMX	0x461000	0x556	0x600	False	0.536458333333	data	5.51929080095	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_TEXT_CN	0x462000	0x18ce	0x1a00	False	0.328575721154	data	6.00096849672	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_TEXT_CN	0x464000	0x1184	0x1200	False	0.533203125	data	6.04792421687	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x466000	0x580	0x600	False	0.422526041667	data	3.91697186583	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x467000	0x2088	0x2200	False	0.301125919118	data	5.37548400562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x4660a0	0x35c	data	English	United States
RT_MANIFEST	0x466400	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
WS2_32.dll	ntohs, WSASetLastError, WSAStartup, select, WSARecvFrom, bind, WSAIoctl, closesocket, WSASend, shutdown, listen, WSASocketW, getpeername, getsockname, socket, WSARecv, getsockopt, ioctlsocket, setsockopt, FreeAddrInfoW, GetAddrInfoW, htonl, WSAGetLastError, htons, gethostname
IPHLPAPI.DLL	GetAdaptersAddresses
KERNEL32.dll	EnumSystemLocalesW, GetUserDefaultLCID, GetTimeZoneInformation, HeapReAlloc, HeapSize, IsValidLocale, GetFullPathNameW, HeapAlloc, HeapFree, OutputDebugStringA, Sleep, GetLastError, GetLogicalProcessorInformation, CreateThread, ExitProcess, GlobalMemoryStatusEx, GetStdHandle, SetConsoleMode, GetConsoleMode, SizeofResource, LockResource, LoadResource, FindResourceW, CreateMutexA, ReleaseMutex, CloseHandle, FreeConsole, MultiByteToWideChar, SetPriorityClass, GetCurrentProcess, SetThreadPriority, GetCurrentThread, GetProcAddress, GetModuleHandleW, GetConsoleWindow, VirtualProtect, VirtualFree, VirtualAlloc, GetLargePageMinimum, LocalAlloc, LocalFree, FlushInstructionCache, GetFileType, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, RegisterWaitForSingleObject, UnregisterWait, GetConsoleCursorInfo, CreateFileW, DuplicateHandle, PostQueuedCompletionStatus, QueueUserWorkItem, SetConsoleCursorInfo, FillConsoleOutputCharacterW, ReadConsoleInputW, CreateFileA, ReadConsoleW, WriteConsoleInputW, FillConsoleOutputAttribute, WriteConsoleW, GetNumberOfConsoleInputEvents, WideCharToMultiByte, SetConsoleCursorPosition, CreateDirectoryW, ReadFile, GetFileInformationByHandleEx, FindFirstFileW, GetFileSizeEx, SetLastError, FindNextFileW, WriteFile, GetDiskFreeSpaceW, DeviceIoControl, RemoveDirectoryW, GetFinalPathNameByHandleW, SetFileTime, ReOpenFile, CreateHardLinkW, FindClose, GetFileAttributesW, UnmapViewOfFile, GetFileInformationByHandle, FlushViewOfFile, GetSystemInfo, SetFilePointerEx, CreateFileMappingA, MoveFileExW, SetEndOfFile, CreateSymbolicLinkW, GetSystemTimeAsFileTime, MapViewOfFile, FlushFileBuffers, GetLongPathNameW, GetShortPathNameW, GetCurrentDirectoryW, ReadDirectoryChangesW, CreateIoCompletionPort, VerifyVersionInfoA, EnterCriticalSection, GetModuleFileNameW, SetEnvironmentVariableW, LeaveCriticalSection, InitializeCriticalSection, GetVersionExW, FreeEnvironmentStringsW, FileTimeToSystemTime, QueryPerformanceFrequency, VerSetConditionMask, GetCurrentProcessId, QueryPerformanceCounter, GetEnvironmentStringsW, SetConsoleCtrlHandler, RtlUnwind, SetHandleInformation, CreateEventA, SetFileCompletionNotificationModes, SetErrorMode, GetQueuedCompletionStatus, GetQueuedCompletionStatusEx, SetNamedPipeHandleState, CreateNamedPipeW, PeekNamedPipe, WaitForSingleObject, CancelSynchronousIo, GetNamedPipeHandleStateA, CancelIoEx, SwitchToThread, DeleteCriticalSection, ConnectNamedPipe, TerminateProcess, UnregisterWaitEx, LCMapStringW, GetExitCodeProcess, SleepConditionVariableCS, TryEnterCriticalSection, TlsSetValue, ReleaseSemaphore, WakeConditionVariable, InitializeConditionVariable, ResumeThread, SetEvent, TlsAlloc, GetNativeSystemInfo, TlsGetValue, TlsFree, CreateSemaphoreA, GetModuleHandleA, LoadLibraryA, FormatMessageA, DebugBreak, GetStartupInfoW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, SystemTimeToTzSpecificLocalTime, GetDriveTypeW, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, SetFileAttributesW, GetFileAttributesExW, GetConsoleCP, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetProcessHeap, CreateTimerQueue, SignalObjectAndWait, GetThreadPriority, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetThreadTimes, InterlockedPopEntrySList, QueryDepthSList, LoadLibraryW, CopyFileW, CancelIo, InitializeCriticalSectionAndSpinCount, ResetEvent, WaitForSingleObjectEx, CreateEventW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, IsDebuggerPresent, GetCurrentThreadId, InitializeSListHead, GetExitCodeThread, GetTickCount, EncodePointer, DecodePointer, CompareStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo, RtlUnwindEx, RtlPcToFileHeader, RaiseException, InterlockedPushEntrySList, InterlockedFlushSList, FreeLibrary, LoadLibraryExW, GetCommandLineA, GetCommandLineW, SetStdHandle
USER32.dll	GetMessageA, TranslateMessage, ShowWindow, GetSystemMetrics, DispatchMessageA, MapVirtualKeyW
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenProcessToken, LsaOpenPolicy, LsaAddAccountRights, LsaClose, GetTokenInformation

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	dllhostex.exe
FileVersion	6.3.9600.16384
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	6.3.9600.16384
FileDescription	COM Surrogate
OriginalFilename	dllhostex.exe
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 92
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 17, 2022 10:41:02.804048061 CEST	49753	443	192.168.2.7	128.199.13.45
May 17, 2022 10:41:02.804112911 CEST	443	49753	128.199.13.45	192.168.2.7
May 17, 2022 10:41:02.804213047 CEST	49753	443	192.168.2.7	128.199.13.45
May 17, 2022 10:41:02.804610014 CEST	49753	443	192.168.2.7	128.199.13.45
May 17, 2022 10:41:02.804642916 CEST	443	49753	128.199.13.45	192.168.2.7
May 17, 2022 10:41:02.804698944 CEST	443	49753	128.199.13.45	192.168.2.7
May 17, 2022 10:41:08.685707092 CEST	49773	443	192.168.2.7	143.198.40.54
May 17, 2022 10:41:08.685760021 CEST	443	49773	143.198.40.54	192.168.2.7
May 17, 2022 10:41:08.685836077 CEST	49773	443	192.168.2.7	143.198.40.54
May 17, 2022 10:41:08.686157942 CEST	49773	443	192.168.2.7	143.198.40.54
May 17, 2022 10:41:08.686170101 CEST	443	49773	143.198.40.54	192.168.2.7
May 17, 2022 10:41:08.686230898 CEST	443	49773	143.198.40.54	192.168.2.7
May 17, 2022 10:41:13.731137991 CEST	49774	443	192.168.2.7	50.116.24.151
May 17, 2022 10:41:13.731197119 CEST	443	49774	50.116.24.151	192.168.2.7
May 17, 2022 10:41:13.731292009 CEST	49774	443	192.168.2.7	50.116.24.151
May 17, 2022 10:41:13.731523991 CEST	49774	443	192.168.2.7	50.116.24.151
May 17, 2022 10:41:13.731543064 CEST	443	49774	50.116.24.151	192.168.2.7
May 17, 2022 10:41:13.731684923 CEST	443	49774	50.116.24.151	192.168.2.7
May 17, 2022 10:41:19.335200071 CEST	49775	443	192.168.2.7	128.199.13.45
May 17, 2022 10:41:19.335258007 CEST	443	49775	128.199.13.45	192.168.2.7
May 17, 2022 10:41:19.335355997 CEST	49775	443	192.168.2.7	128.199.13.45
May 17, 2022 10:41:19.335594893 CEST	49775	443	192.168.2.7	128.199.13.45
May 17, 2022 10:41:19.335624933 CEST	443	49775	128.199.13.45	192.168.2.7
May 17, 2022 10:41:19.335676908 CEST	443	49775	128.199.13.45	192.168.2.7
May 17, 2022 10:41:25.371648073 CEST	49776	443	192.168.2.7	50.116.24.151
May 17, 2022 10:41:25.371700048 CEST	443	49776	50.116.24.151	192.168.2.7
May 17, 2022 10:41:25.371798038 CEST	49776	443	192.168.2.7	50.116.24.151
May 17, 2022 10:41:25.372450113 CEST	49776	443	192.168.2.7	50.116.24.151
May 17, 2022 10:41:25.372464895 CEST	443	49776	50.116.24.151	192.168.2.7
May 17, 2022 10:41:25.372528076 CEST	443	49776	50.116.24.151	192.168.2.7
May 17, 2022 10:41:30.417100906 CEST	49781	443	192.168.2.7	128.199.13.45
May 17, 2022 10:41:30.417156935 CEST	443	49781	128.199.13.45	192.168.2.7
May 17, 2022 10:41:30.417254925 CEST	49781	443	192.168.2.7	128.199.13.45
May 17, 2022 10:41:30.417562962 CEST	49781	443	192.168.2.7	128.199.13.45
May 17, 2022 10:41:30.417587042 CEST	443	49781	128.199.13.45	192.168.2.7
May 17, 2022 10:41:30.417624950 CEST	443	49781	128.199.13.45	192.168.2.7
May 17, 2022 10:41:35.932573080 CEST	49782	443	192.168.2.7	50.116.24.151
May 17, 2022 10:41:35.932645082 CEST	443	49782	50.116.24.151	192.168.2.7
May 17, 2022 10:41:35.932735920 CEST	49782	443	192.168.2.7	50.116.24.151
May 17, 2022 10:41:35.933005095 CEST	49782	443	192.168.2.7	50.116.24.151
May 17, 2022 10:41:35.933032036 CEST	443	49782	50.116.24.151	192.168.2.7
May 17, 2022 10:41:35.933176041 CEST	443	49782	50.116.24.151	192.168.2.7
May 17, 2022 10:41:41.688617945 CEST	49786	443	192.168.2.7	143.198.40.54
May 17, 2022 10:41:41.688678026 CEST	443	49786	143.198.40.54	192.168.2.7
May 17, 2022 10:41:41.688788891 CEST	49786	443	192.168.2.7	143.198.40.54
May 17, 2022 10:41:41.689177036 CEST	49786	443	192.168.2.7	143.198.40.54
May 17, 2022 10:41:41.689203024 CEST	443	49786	143.198.40.54	192.168.2.7
May 17, 2022 10:41:41.689269066 CEST	443	49786	143.198.40.54	192.168.2.7
May 17, 2022 10:41:46.732681036 CEST	49790	443	192.168.2.7	143.198.40.54
May 17, 2022 10:41:46.732726097 CEST	443	49790	143.198.40.54	192.168.2.7
May 17, 2022 10:41:46.732836962 CEST	49790	443	192.168.2.7	143.198.40.54
May 17, 2022 10:41:46.733661890 CEST	49790	443	192.168.2.7	143.198.40.54
May 17, 2022 10:41:46.733690023 CEST	443	49790	143.198.40.54	192.168.2.7
May 17, 2022 10:41:46.733764887 CEST	443	49790	143.198.40.54	192.168.2.7
May 17, 2022 10:41:51.819660902 CEST	49793	443	192.168.2.7	143.198.40.54
May 17, 2022 10:41:51.819704056 CEST	443	49793	143.198.40.54	192.168.2.7
May 17, 2022 10:41:51.819797039 CEST	49793	443	192.168.2.7	143.198.40.54
May 17, 2022 10:41:51.820024967 CEST	49793	443	192.168.2.7	143.198.40.54
May 17, 2022 10:41:51.820038080 CEST	443	49793	143.198.40.54	192.168.2.7
May 17, 2022 10:41:51.820075989 CEST	443	49793	143.198.40.54	192.168.2.7
May 17, 2022 10:41:56.858988047 CEST	49796	443	192.168.2.7	50.116.24.151
May 17, 2022 10:41:56.859025955 CEST	443	49796	50.116.24.151	192.168.2.7
May 17, 2022 10:41:56.859108925 CEST	49796	443	192.168.2.7	50.116.24.151
May 17, 2022 10:41:56.859328032 CEST	49796	443	192.168.2.7	50.116.24.151
May 17, 2022 10:41:56.859342098 CEST	443	49796	50.116.24.151	192.168.2.7
May 17, 2022 10:41:56.859425068 CEST	443	49796	50.116.24.151	192.168.2.7
May 17, 2022 10:42:01.926811934 CEST	49803	443	192.168.2.7	128.199.13.45
May 17, 2022 10:42:01.926872969 CEST	443	49803	128.199.13.45	192.168.2.7
May 17, 2022 10:42:01.927078962 CEST	49803	443	192.168.2.7	128.199.13.45
May 17, 2022 10:42:01.927278996 CEST	49803	443	192.168.2.7	128.199.13.45
May 17, 2022 10:42:01.927310944 CEST	443	49803	128.199.13.45	192.168.2.7
May 17, 2022 10:42:01.927387953 CEST	443	49803	128.199.13.45	192.168.2.7
May 17, 2022 10:42:07.130390882 CEST	49806	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:07.130441904 CEST	443	49806	143.198.40.54	192.168.2.7
May 17, 2022 10:42:07.130532980 CEST	49806	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:07.130789042 CEST	49806	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:07.130809069 CEST	443	49806	143.198.40.54	192.168.2.7
May 17, 2022 10:42:07.130856991 CEST	443	49806	143.198.40.54	192.168.2.7
May 17, 2022 10:42:13.113473892 CEST	49826	443	192.168.2.7	128.199.13.45
May 17, 2022 10:42:13.113554955 CEST	443	49826	128.199.13.45	192.168.2.7
May 17, 2022 10:42:13.113658905 CEST	49826	443	192.168.2.7	128.199.13.45
May 17, 2022 10:42:13.114007950 CEST	49826	443	192.168.2.7	128.199.13.45
May 17, 2022 10:42:13.114046097 CEST	443	49826	128.199.13.45	192.168.2.7
May 17, 2022 10:42:13.114236116 CEST	443	49826	128.199.13.45	192.168.2.7
May 17, 2022 10:42:18.174156904 CEST	49851	443	192.168.2.7	128.199.13.45
May 17, 2022 10:42:18.174190998 CEST	443	49851	128.199.13.45	192.168.2.7
May 17, 2022 10:42:18.174285889 CEST	49851	443	192.168.2.7	128.199.13.45
May 17, 2022 10:42:18.174537897 CEST	49851	443	192.168.2.7	128.199.13.45
May 17, 2022 10:42:18.174551964 CEST	443	49851	128.199.13.45	192.168.2.7
May 17, 2022 10:42:18.174593925 CEST	443	49851	128.199.13.45	192.168.2.7
May 17, 2022 10:42:23.352993965 CEST	49859	443	192.168.2.7	50.116.24.151
May 17, 2022 10:42:23.353045940 CEST	443	49859	50.116.24.151	192.168.2.7
May 17, 2022 10:42:23.353128910 CEST	49859	443	192.168.2.7	50.116.24.151
May 17, 2022 10:42:23.353341103 CEST	49859	443	192.168.2.7	50.116.24.151
May 17, 2022 10:42:23.353358984 CEST	443	49859	50.116.24.151	192.168.2.7
May 17, 2022 10:42:23.353401899 CEST	443	49859	50.116.24.151	192.168.2.7
May 17, 2022 10:42:28.675483942 CEST	49862	443	192.168.2.7	50.116.24.151
May 17, 2022 10:42:28.675534964 CEST	443	49862	50.116.24.151	192.168.2.7
May 17, 2022 10:42:28.675632000 CEST	49862	443	192.168.2.7	50.116.24.151
May 17, 2022 10:42:28.676105022 CEST	49862	443	192.168.2.7	50.116.24.151
May 17, 2022 10:42:28.676132917 CEST	443	49862	50.116.24.151	192.168.2.7
May 17, 2022 10:42:28.676317930 CEST	443	49862	50.116.24.151	192.168.2.7
May 17, 2022 10:42:33.740086079 CEST	49864	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:33.740144014 CEST	443	49864	143.198.40.54	192.168.2.7
May 17, 2022 10:42:33.740520954 CEST	49864	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:33.740597963 CEST	49864	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:33.740612984 CEST	443	49864	143.198.40.54	192.168.2.7
May 17, 2022 10:42:33.740802050 CEST	443	49864	143.198.40.54	192.168.2.7
May 17, 2022 10:42:38.845489025 CEST	49865	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:38.845530033 CEST	443	49865	143.198.40.54	192.168.2.7
May 17, 2022 10:42:38.845613956 CEST	49865	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:38.845859051 CEST	49865	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:38.845877886 CEST	443	49865	143.198.40.54	192.168.2.7
May 17, 2022 10:42:38.845957994 CEST	443	49865	143.198.40.54	192.168.2.7
May 17, 2022 10:42:45.657804012 CEST	49879	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:45.657871962 CEST	443	49879	143.198.40.54	192.168.2.7
May 17, 2022 10:42:45.658014059 CEST	49879	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:45.658505917 CEST	49879	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:45.658546925 CEST	443	49879	143.198.40.54	192.168.2.7
May 17, 2022 10:42:45.658751011 CEST	443	49879	143.198.40.54	192.168.2.7
May 17, 2022 10:42:51.677010059 CEST	49893	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:51.677083969 CEST	443	49893	143.198.40.54	192.168.2.7
May 17, 2022 10:42:51.677278042 CEST	49893	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:51.677695036 CEST	49893	443	192.168.2.7	143.198.40.54
May 17, 2022 10:42:51.677719116 CEST	443	49893	143.198.40.54	192.168.2.7
May 17, 2022 10:42:51.677767992 CEST	443	49893	143.198.40.54	192.168.2.7
May 17, 2022 10:42:56.813823938 CEST	49895	443	192.168.2.7	50.116.24.151
May 17, 2022 10:42:56.813893080 CEST	443	49895	50.116.24.151	192.168.2.7
May 17, 2022 10:42:56.814028025 CEST	49895	443	192.168.2.7	50.116.24.151
May 17, 2022 10:42:56.814454079 CEST	49895	443	192.168.2.7	50.116.24.151
May 17, 2022 10:42:56.814481974 CEST	443	49895	50.116.24.151	192.168.2.7
May 17, 2022 10:42:56.814542055 CEST	443	49895	50.116.24.151	192.168.2.7
May 17, 2022 10:43:02.813313007 CEST	49896	443	192.168.2.7	50.116.24.151
May 17, 2022 10:43:02.813354969 CEST	443	49896	50.116.24.151	192.168.2.7
May 17, 2022 10:43:02.813545942 CEST	49896	443	192.168.2.7	50.116.24.151
May 17, 2022 10:43:02.813935995 CEST	49896	443	192.168.2.7	50.116.24.151
May 17, 2022 10:43:02.813951015 CEST	443	49896	50.116.24.151	192.168.2.7
May 17, 2022 10:43:02.814038038 CEST	443	49896	50.116.24.151	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 17, 2022 10:41:02.778795004 CEST	63557	53	192.168.2.7	8.8.8.8
May 17, 2022 10:41:02.797899961 CEST	53	63557	8.8.8.8	192.168.2.7
May 17, 2022 10:41:08.662842989 CEST	60996	53	192.168.2.7	8.8.8.8
May 17, 2022 10:41:08.684148073 CEST	53	60996	8.8.8.8	192.168.2.7
May 17, 2022 10:41:13.709553957 CEST	50519	53	192.168.2.7	8.8.8.8
May 17, 2022 10:41:13.729526997 CEST	53	50519	8.8.8.8	192.168.2.7
May 17, 2022 10:41:19.314538956 CEST	58715	53	192.168.2.7	8.8.8.8
May 17, 2022 10:41:19.333348036 CEST	53	58715	8.8.8.8	192.168.2.7
May 17, 2022 10:41:25.349741936 CEST	60280	53	192.168.2.7	8.8.8.8
May 17, 2022 10:41:25.369450092 CEST	53	60280	8.8.8.8	192.168.2.7
May 17, 2022 10:41:30.397314072 CEST	62353	53	192.168.2.7	8.8.8.8
May 17, 2022 10:41:30.415103912 CEST	53	62353	8.8.8.8	192.168.2.7
May 17, 2022 10:41:35.903340101 CEST	64618	53	192.168.2.7	8.8.8.8
May 17, 2022 10:41:35.923037052 CEST	53	64618	8.8.8.8	192.168.2.7
May 17, 2022 10:41:41.655468941 CEST	59475	53	192.168.2.7	8.8.8.8
May 17, 2022 10:41:41.675179005 CEST	53	59475	8.8.8.8	192.168.2.7
May 17, 2022 10:41:46.710990906 CEST	50125	53	192.168.2.7	8.8.8.8
May 17, 2022 10:41:46.730539083 CEST	53	50125	8.8.8.8	192.168.2.7
May 17, 2022 10:41:51.800503016 CEST	59856	53	192.168.2.7	8.8.8.8
May 17, 2022 10:41:51.817902088 CEST	53	59856	8.8.8.8	192.168.2.7
May 17, 2022 10:41:56.836751938 CEST	55245	53	192.168.2.7	8.8.8.8
May 17, 2022 10:41:56.856863976 CEST	53	55245	8.8.8.8	192.168.2.7
May 17, 2022 10:42:01.904994965 CEST	58657	53	192.168.2.7	8.8.8.8
May 17, 2022 10:42:01.924612045 CEST	53	58657	8.8.8.8	192.168.2.7
May 17, 2022 10:42:07.110817909 CEST	51160	53	192.168.2.7	8.8.8.8
May 17, 2022 10:42:07.128505945 CEST	53	51160	8.8.8.8	192.168.2.7
May 17, 2022 10:42:13.088116884 CEST	50915	53	192.168.2.7	8.8.8.8
May 17, 2022 10:42:13.107825994 CEST	53	50915	8.8.8.8	192.168.2.7
May 17, 2022 10:42:18.151684999 CEST	49170	53	192.168.2.7	8.8.8.8
May 17, 2022 10:42:18.172640085 CEST	53	49170	8.8.8.8	192.168.2.7
May 17, 2022 10:42:23.328731060 CEST	50426	53	192.168.2.7	8.8.8.8
May 17, 2022 10:42:23.347460032 CEST	53	50426	8.8.8.8	192.168.2.7
May 17, 2022 10:42:28.653558016 CEST	53953	53	192.168.2.7	8.8.8.8
May 17, 2022 10:42:28.673130989 CEST	53	53953	8.8.8.8	192.168.2.7
May 17, 2022 10:42:33.719023943 CEST	58883	53	192.168.2.7	8.8.8.8
May 17, 2022 10:42:33.738718033 CEST	53	58883	8.8.8.8	192.168.2.7
May 17, 2022 10:42:38.824866056 CEST	64521	53	192.168.2.7	8.8.8.8
May 17, 2022 10:42:38.844070911 CEST	53	64521	8.8.8.8	192.168.2.7
May 17, 2022 10:42:45.597445965 CEST	58097	53	192.168.2.7	8.8.8.8
May 17, 2022 10:42:45.616725922 CEST	53	58097	8.8.8.8	192.168.2.7
May 17, 2022 10:42:51.658061028 CEST	59489	53	192.168.2.7	8.8.8.8
May 17, 2022 10:42:51.675024986 CEST	53	59489	8.8.8.8	192.168.2.7
May 17, 2022 10:42:56.789693117 CEST	56432	53	192.168.2.7	8.8.8.8
May 17, 2022 10:42:56.809122086 CEST	53	56432	8.8.8.8	192.168.2.7
May 17, 2022 10:43:02.793519020 CEST	53086	53	192.168.2.7	8.8.8.8
May 17, 2022 10:43:02.811012030 CEST	53	53086	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 17, 2022 10:41:02.778795004 CEST	192.168.2.7	8.8.8.8	0x21fb	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:41:08.662842989 CEST	192.168.2.7	8.8.8.8	0xa2b7	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:41:13.709553957 CEST	192.168.2.7	8.8.8.8	0x1b8d	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:41:19.314538956 CEST	192.168.2.7	8.8.8.8	0x5e20	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:41:25.349741936 CEST	192.168.2.7	8.8.8.8	0x5642	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:41:30.397314072 CEST	192.168.2.7	8.8.8.8	0xfc2d	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:41:35.903340101 CEST	192.168.2.7	8.8.8.8	0x3042	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:41:41.655468941 CEST	192.168.2.7	8.8.8.8	0xc7d9	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:41:46.710990906 CEST	192.168.2.7	8.8.8.8	0x6cd5	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:41:51.800503016 CEST	192.168.2.7	8.8.8.8	0x56d2	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:41:56.836751938 CEST	192.168.2.7	8.8.8.8	0xd89f	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:42:01.904994965 CEST	192.168.2.7	8.8.8.8	0xd5e8	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:42:07.110817909 CEST	192.168.2.7	8.8.8.8	0x6709	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:42:13.088116884 CEST	192.168.2.7	8.8.8.8	0xd27b	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:42:18.151684999 CEST	192.168.2.7	8.8.8.8	0x287b	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:42:23.328731060 CEST	192.168.2.7	8.8.8.8	0xfc0e	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:42:28.653558016 CEST	192.168.2.7	8.8.8.8	0xfe31	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:42:33.719023943 CEST	192.168.2.7	8.8.8.8	0xf663	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:42:38.824866056 CEST	192.168.2.7	8.8.8.8	0x8652	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:42:45.597445965 CEST	192.168.2.7	8.8.8.8	0xb888	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:42:51.658061028 CEST	192.168.2.7	8.8.8.8	0xc335	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:42:56.789693117 CEST	192.168.2.7	8.8.8.8	0xd02e	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)
May 17, 2022 10:43:02.793519020 CEST	192.168.2.7	8.8.8.8	0x726d	Standard query (0)	rim.miniast.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 17, 2022 10:41:02.797899961 CEST	8.8.8.8	192.168.2.7	0x21fb	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:41:02.797899961 CEST	8.8.8.8	192.168.2.7	0x21fb	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:41:02.797899961 CEST	8.8.8.8	192.168.2.7	0x21fb	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:41:02.797899961 CEST	8.8.8.8	192.168.2.7	0x21fb	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:41:08.684148073 CEST	8.8.8.8	192.168.2.7	0xa2b7	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:41:08.684148073 CEST	8.8.8.8	192.168.2.7	0xa2b7	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:41:08.684148073 CEST	8.8.8.8	192.168.2.7	0xa2b7	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:41:08.684148073 CEST	8.8.8.8	192.168.2.7	0xa2b7	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:41:13.729526997 CEST	8.8.8.8	192.168.2.7	0x1b8d	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:41:13.729526997 CEST	8.8.8.8	192.168.2.7	0x1b8d	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:41:13.729526997 CEST	8.8.8.8	192.168.2.7	0x1b8d	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:41:13.729526997 CEST	8.8.8.8	192.168.2.7	0x1b8d	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:41:19.333348036 CEST	8.8.8.8	192.168.2.7	0x5e20	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:41:19.333348036 CEST	8.8.8.8	192.168.2.7	0x5e20	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:41:19.333348036 CEST	8.8.8.8	192.168.2.7	0x5e20	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:41:19.333348036 CEST	8.8.8.8	192.168.2.7	0x5e20	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:41:25.369450092 CEST	8.8.8.8	192.168.2.7	0x5642	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:41:25.369450092 CEST	8.8.8.8	192.168.2.7	0x5642	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:41:25.369450092 CEST	8.8.8.8	192.168.2.7	0x5642	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:41:25.369450092 CEST	8.8.8.8	192.168.2.7	0x5642	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:41:30.415103912 CEST	8.8.8.8	192.168.2.7	0xfc2d	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:41:30.415103912 CEST	8.8.8.8	192.168.2.7	0xfc2d	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:41:30.415103912 CEST	8.8.8.8	192.168.2.7	0xfc2d	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:41:30.415103912 CEST	8.8.8.8	192.168.2.7	0xfc2d	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:41:35.923037052 CEST	8.8.8.8	192.168.2.7	0x3042	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:41:35.923037052 CEST	8.8.8.8	192.168.2.7	0x3042	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:41:35.923037052 CEST	8.8.8.8	192.168.2.7	0x3042	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:41:35.923037052 CEST	8.8.8.8	192.168.2.7	0x3042	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:41:41.675179005 CEST	8.8.8.8	192.168.2.7	0xc7d9	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:41:41.675179005 CEST	8.8.8.8	192.168.2.7	0xc7d9	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:41:41.675179005 CEST	8.8.8.8	192.168.2.7	0xc7d9	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:41:41.675179005 CEST	8.8.8.8	192.168.2.7	0xc7d9	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:41:46.730539083 CEST	8.8.8.8	192.168.2.7	0x6cd5	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:41:46.730539083 CEST	8.8.8.8	192.168.2.7	0x6cd5	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:41:46.730539083 CEST	8.8.8.8	192.168.2.7	0x6cd5	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:41:46.730539083 CEST	8.8.8.8	192.168.2.7	0x6cd5	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:41:51.817902088 CEST	8.8.8.8	192.168.2.7	0x56d2	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:41:51.817902088 CEST	8.8.8.8	192.168.2.7	0x56d2	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:41:51.817902088 CEST	8.8.8.8	192.168.2.7	0x56d2	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:41:51.817902088 CEST	8.8.8.8	192.168.2.7	0x56d2	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:41:56.856863976 CEST	8.8.8.8	192.168.2.7	0xd89f	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:41:56.856863976 CEST	8.8.8.8	192.168.2.7	0xd89f	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:41:56.856863976 CEST	8.8.8.8	192.168.2.7	0xd89f	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:41:56.856863976 CEST	8.8.8.8	192.168.2.7	0xd89f	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:42:01.924612045 CEST	8.8.8.8	192.168.2.7	0xd5e8	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:42:01.924612045 CEST	8.8.8.8	192.168.2.7	0xd5e8	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:42:01.924612045 CEST	8.8.8.8	192.168.2.7	0xd5e8	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:42:01.924612045 CEST	8.8.8.8	192.168.2.7	0xd5e8	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:42:07.128505945 CEST	8.8.8.8	192.168.2.7	0x6709	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:42:07.128505945 CEST	8.8.8.8	192.168.2.7	0x6709	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:42:07.128505945 CEST	8.8.8.8	192.168.2.7	0x6709	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:42:07.128505945 CEST	8.8.8.8	192.168.2.7	0x6709	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:42:13.107825994 CEST	8.8.8.8	192.168.2.7	0xd27b	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:42:13.107825994 CEST	8.8.8.8	192.168.2.7	0xd27b	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:42:13.107825994 CEST	8.8.8.8	192.168.2.7	0xd27b	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:42:13.107825994 CEST	8.8.8.8	192.168.2.7	0xd27b	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:42:18.172640085 CEST	8.8.8.8	192.168.2.7	0x287b	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:42:18.172640085 CEST	8.8.8.8	192.168.2.7	0x287b	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:42:18.172640085 CEST	8.8.8.8	192.168.2.7	0x287b	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:42:18.172640085 CEST	8.8.8.8	192.168.2.7	0x287b	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:42:23.347460032 CEST	8.8.8.8	192.168.2.7	0xfc0e	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:42:23.347460032 CEST	8.8.8.8	192.168.2.7	0xfc0e	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:42:23.347460032 CEST	8.8.8.8	192.168.2.7	0xfc0e	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:42:23.347460032 CEST	8.8.8.8	192.168.2.7	0xfc0e	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:42:28.673130989 CEST	8.8.8.8	192.168.2.7	0xfe31	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:42:28.673130989 CEST	8.8.8.8	192.168.2.7	0xfe31	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:42:28.673130989 CEST	8.8.8.8	192.168.2.7	0xfe31	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:42:28.673130989 CEST	8.8.8.8	192.168.2.7	0xfe31	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:42:33.738718033 CEST	8.8.8.8	192.168.2.7	0xf663	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:42:33.738718033 CEST	8.8.8.8	192.168.2.7	0xf663	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:42:33.738718033 CEST	8.8.8.8	192.168.2.7	0xf663	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:42:33.738718033 CEST	8.8.8.8	192.168.2.7	0xf663	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:42:38.844070911 CEST	8.8.8.8	192.168.2.7	0x8652	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:42:38.844070911 CEST	8.8.8.8	192.168.2.7	0x8652	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:42:38.844070911 CEST	8.8.8.8	192.168.2.7	0x8652	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:42:38.844070911 CEST	8.8.8.8	192.168.2.7	0x8652	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:42:45.616725922 CEST	8.8.8.8	192.168.2.7	0xb888	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:42:45.616725922 CEST	8.8.8.8	192.168.2.7	0xb888	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:42:45.616725922 CEST	8.8.8.8	192.168.2.7	0xb888	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:42:45.616725922 CEST	8.8.8.8	192.168.2.7	0xb888	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:42:51.675024986 CEST	8.8.8.8	192.168.2.7	0xc335	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:42:51.675024986 CEST	8.8.8.8	192.168.2.7	0xc335	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:42:51.675024986 CEST	8.8.8.8	192.168.2.7	0xc335	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:42:51.675024986 CEST	8.8.8.8	192.168.2.7	0xc335	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:42:56.809122086 CEST	8.8.8.8	192.168.2.7	0xd02e	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:42:56.809122086 CEST	8.8.8.8	192.168.2.7	0xd02e	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)
May 17, 2022 10:42:56.809122086 CEST	8.8.8.8	192.168.2.7	0xd02e	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:42:56.809122086 CEST	8.8.8.8	192.168.2.7	0xd02e	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:43:02.811012030 CEST	8.8.8.8	192.168.2.7	0x726d	No error (0)	rim.miniast.com	wgc.witmone.com		CNAME (Canonical name)	IN (0x0001)
May 17, 2022 10:43:02.811012030 CEST	8.8.8.8	192.168.2.7	0x726d	No error (0)	wgc.witmone.com		50.116.24.151	A (IP address)	IN (0x0001)
May 17, 2022 10:43:02.811012030 CEST	8.8.8.8	192.168.2.7	0x726d	No error (0)	wgc.witmone.com		143.198.40.54	A (IP address)	IN (0x0001)
May 17, 2022 10:43:02.811012030 CEST	8.8.8.8	192.168.2.7	0x726d	No error (0)	wgc.witmone.com		128.199.13.45	A (IP address)	IN (0x0001)

Statistics

Click to jump to process

Memory Usage

• dllhostex.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Behavior

• dllhostex.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: dllhostex.exePID: 6812, Parent PID: 6916

Function Logs

General

Target ID:	0
Start time:	10:41:00
Start date:	17/05/2022
Path:	C:\Users\user\Desktop\dllhostex.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\dllhostex.exe"
Imagebase:	0x7ff69d280000
File size:	1913856 bytes
MD5 hash:	45B339245E786106594ACEB23D934B4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000000.00000002.614601781.00007FF69D43B000.00000004.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000000.00000002.614564647.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000000.00000002.614564647.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.614564647.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000000.00000000.347525830.00007FF69D43B000.00000008.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000000.00000000.347436841.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000000.00000000.347436841.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.347436841.00007FF69D3F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

File Activities

File Opened

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Network Activities

Socket bound

Process Token Activities

Token Adjusted

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6220, Parent PID: 6812

Function Logs

General

Target ID:	1
Start time:	10:41:01
Start date:	17/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7bab80000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dllhostex.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
dllhostex.exe