Create Interactive Tour

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
Analysis ID:780311
MD5:fb3be4185b968faec0c3ab87fb4b35aa
SHA1:1178b06bceea6a8ef6d0a7e16d0b0e8fc600f9ce
SHA256:a0434fdcaec62f8af073f34c580a94cb58d21203f5edf2ccbbcc467b53570d87
Tags:CoinMinerXMRigexe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Writes to foreign memory regions
Found strings related to Crypto-Mining
Query firmware table information (likely to detect VMs)
Detected Stratum mining protocol
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
DNS related to crypt mining pools
Uses schtasks.exe or at.exe to add and modify task schedules
PE file contains section with special chars
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Entry point lies outside standard sections
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
Drops PE files
Uses cacls to modify the permissions of files
Detected TCP or UDP traffic on non-standard ports
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe (PID: 4620 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe MD5: FB3BE4185B968FAEC0C3AB87FB4B35AA)
    • schtasks.exe (PID: 1308 cmdline: "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTE MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • icacls.exe (PID: 4180 cmdline: C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD) MD5: 2F768115A6D01814354518DE29EE7CFE)
      • conhost.exe (PID: 4940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • icacls.exe (PID: 3376 cmdline: C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD) MD5: 2F768115A6D01814354518DE29EE7CFE)
      • conhost.exe (PID: 1952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • icacls.exe (PID: 5036 cmdline: C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "admin:(R,REA,RA,RD) MD5: 2F768115A6D01814354518DE29EE7CFE)
      • conhost.exe (PID: 2620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • IntelCacheUpdater.exe (PID: 2736 cmdline: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe MD5: E5D5641CC9E28BC2C2A5FB15FD39249F)
    • AppLaunch.exe (PID: 5728 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe MD5: 98A8F518B66BA43DF38821C364C3B791)
  • IntelCacheUpdater.exe (PID: 6096 cmdline: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe MD5: E5D5641CC9E28BC2C2A5FB15FD39249F)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    SourceRuleDescriptionAuthorStrings
    0000000F.00000002.828300588.000001D7221FD000.00000002.00000400.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000000F.00000002.829305364.000001D722DB0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        0000000F.00000002.828171244.000001D722167000.00000002.00000400.00020000.00000000.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
        • 0x1eb8:$sa1: stratum+tcp://
        0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
        • 0x90eb8:$sa1: stratum+tcp://
        0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmpPUA_Crypto_Mining_CommandLine_Indicators_Oct21Detects command line parameters often used by crypto mining softwareFlorian Roth
        • 0x129fc5:$s01: --cpu-priority=
        • 0x12991d:$s05: --nicehash
        Click to see the 27 entries
        SourceRuleDescriptionAuthorStrings
        14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
          • 0x4bb338:$s1: %s/%s (Windows NT %lu.%lu
          • 0x4bc448:$s3: \\.\WinRing0_
          • 0x4b20e0:$s4: pool_wallet
          • 0x4ad800:$s5: cryptonight
          • 0x4ad810:$s5: cryptonight
          • 0x4ad820:$s5: cryptonight
          • 0x4ad830:$s5: cryptonight
          • 0x4ad848:$s5: cryptonight
          • 0x4ad858:$s5: cryptonight
          • 0x4ad868:$s5: cryptonight
          • 0x4ad880:$s5: cryptonight
          • 0x4ad890:$s5: cryptonight
          • 0x4ad8a8:$s5: cryptonight
          • 0x4ad8c0:$s5: cryptonight
          • 0x4ad8d0:$s5: cryptonight
          • 0x4ad8e0:$s5: cryptonight
          • 0x4ad8f0:$s5: cryptonight
          • 0x4ad908:$s5: cryptonight
          • 0x4ad920:$s5: cryptonight
          • 0x4ad930:$s5: cryptonight
          • 0x4ad940:$s5: cryptonight
          14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x4b3330:$a1: mining.set_target
          • 0x4adf58:$a2: XMRIG_HOSTNAME
          • 0x4affb8:$a3: Usage: xmrig [OPTIONS]
          • 0x4adf30:$a4: XMRIG_VERSION
          0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
            • 0x4bb338:$s1: %s/%s (Windows NT %lu.%lu
            • 0x4bc448:$s3: \\.\WinRing0_
            • 0x4b20e0:$s4: pool_wallet
            • 0x4ad800:$s5: cryptonight
            • 0x4ad810:$s5: cryptonight
            • 0x4ad820:$s5: cryptonight
            • 0x4ad830:$s5: cryptonight
            • 0x4ad848:$s5: cryptonight
            • 0x4ad858:$s5: cryptonight
            • 0x4ad868:$s5: cryptonight
            • 0x4ad880:$s5: cryptonight
            • 0x4ad890:$s5: cryptonight
            • 0x4ad8a8:$s5: cryptonight
            • 0x4ad8c0:$s5: cryptonight
            • 0x4ad8d0:$s5: cryptonight
            • 0x4ad8e0:$s5: cryptonight
            • 0x4ad8f0:$s5: cryptonight
            • 0x4ad908:$s5: cryptonight
            • 0x4ad920:$s5: cryptonight
            • 0x4ad930:$s5: cryptonight
            • 0x4ad940:$s5: cryptonight
            Click to see the 4 entries
            No Sigma rule has matched
            Timestamp:192.168.2.451.15.54.10249696144442831812 01/08/23-20:38:20.193810
            SID:2831812
            Source Port:49696
            Destination Port:14444
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeReversingLabs: Detection: 43%
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeVirustotal: Detection: 55%Perma Link
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeAvira: detection malicious, Label: TR/Crypt.OPACK.Gen
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeJoe Sandbox ML: detected

            Bitcoin Miner

            barindex
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000002.828300588.000001D7221FD000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.829305364.000001D722DB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.829085456.000001D722D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.828946727.000001D722D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: IntelCacheUpdater.exe PID: 2736, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5728, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: IntelCacheUpdater.exe PID: 6096, type: MEMORYSTR
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: stratum+tcp://
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: cryptonight/0
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: stratum+tcp://
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: -o, --url=URL URL of mining server
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: XMRig 6.18.1
            Source: global trafficTCP traffic: 192.168.2.4:49696 -> 51.15.54.102:14444 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"46zprqb8ncwy2gxdc29wawbyafrjxkazpkcrwtnzufnhq7stzzcb6dauvdy6gzktmufhfrtvslpj7bglhthlzg1t7mztkaq","pass":"x","agent":"xmrig/6.18.1 (windows nt 10.0; win64; x64) libuv/1.44.1 msvc/2019","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
            Source: unknownDNS query: name: xmr-eu1.nanopool.org
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Source: TrafficSnort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.4:49696 -> 51.15.54.102:14444
            Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
            Source: Joe Sandbox ViewIP Address: 51.15.54.102 51.15.54.102
            Source: global trafficTCP traffic: 192.168.2.4:49696 -> 51.15.54.102:14444
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, AppLaunch.exe, 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://xmrig.com/benchmark/%s
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, AppLaunch.exe, 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://xmrig.com/wizard
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, AppLaunch.exe, 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://xmrig.com/wizard%s
            Source: unknownDNS traffic detected: queries for: xmr-eu1.nanopool.org

            System Summary

            barindex
            Source: 14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
            Source: 14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
            Source: 16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: Process Memory Space: IntelCacheUpdater.exe PID: 2736, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: Process Memory Space: IntelCacheUpdater.exe PID: 6096, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: S(I))X)(
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: UERMA(FT
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: &#^JUAMN
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: BXPR#EHV
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: M)AVSKGU
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: DJ%Y)WXR
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: $DG*YHKG
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: JMM*HMY*
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: VWTNI(*)
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: YFSUA$*A
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: IWANMY)R
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: S(I))X)(
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: UERMA(FT
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: &#^JUAMN
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: BXPR#EHV
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: M)AVSKGU
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: DJ%Y)WXR
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: $DG*YHKG
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: JMM*HMY*
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: VWTNI(*)
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: YFSUA$*A
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: IWANMY)R
            Source: 14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
            Source: 14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
            Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
            Source: 16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 0000000F.00000002.828171244.000001D722167000.00000002.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
            Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
            Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
            Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
            Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
            Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
            Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
            Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
            Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
            Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: Process Memory Space: IntelCacheUpdater.exe PID: 2736, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
            Source: Process Memory Space: IntelCacheUpdater.exe PID: 2736, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
            Source: Process Memory Space: IntelCacheUpdater.exe PID: 2736, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: Process Memory Space: AppLaunch.exe PID: 5728, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
            Source: Process Memory Space: IntelCacheUpdater.exe PID: 6096, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
            Source: Process Memory Space: IntelCacheUpdater.exe PID: 6096, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
            Source: Process Memory Space: IntelCacheUpdater.exe PID: 6096, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess Stats: CPU usage > 98%
            Source: IntelCacheUpdater.exe.0.drStatic PE information: Number of sections : 12 > 10
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: Number of sections : 12 > 10
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeReversingLabs: Detection: 43%
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeVirustotal: Detection: 55%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTE
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)
            Source: C:\Windows\System32\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)
            Source: C:\Windows\System32\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "admin:(R,REA,RA,RD)
            Source: C:\Windows\System32\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
            Source: unknownProcess created: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTEJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "admin:(R,REA,RA,RD)Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: classification engineClassification label: mal100.evad.mine.winEXE@17/2@1/1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeMutant created: \Sessions\1\BaseNamedObjects\LMKdPJPGHX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeMutant created: \Sessions\1\BaseNamedObjects\LsGstlmPaf
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1952:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic file information: File size 5866496 > 1048576
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: Raw size of YFSUA$*A is bigger than: 0x100000 < 0x596c00
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeCode function: 15_2_0000006401B8DB98 pushfd ; iretd 15_2_0000006401B8DB99
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: S(I))X)(
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: UERMA(FT
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: &#^JUAMN
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: BXPR#EHV
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: M)AVSKGU
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: DJ%Y)WXR
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: $DG*YHKG
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: JMM*HMY*
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: VWTNI(*)
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: YFSUA$*A
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: section name: IWANMY)R
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: S(I))X)(
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: UERMA(FT
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: &#^JUAMN
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: BXPR#EHV
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: M)AVSKGU
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: DJ%Y)WXR
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: $DG*YHKG
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: JMM*HMY*
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: VWTNI(*)
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: YFSUA$*A
            Source: IntelCacheUpdater.exe.0.drStatic PE information: section name: IWANMY)R
            Source: initial sampleStatic PE information: section where entry point is pointing to: YFSUA$*A
            Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeStatic PE information: real checksum: 0x5a6967 should be: 0x59d958
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeFile created: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeFile created: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeJump to dropped file

            Boot Survival

            barindex
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe TID: 5772Thread sleep count: 2561 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe TID: 5772Thread sleep count: 141 > 30Jump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeDropped PE file which has not been started: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 2561Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeWindow / User API: foregroundWindowGot 1775Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformationJump to behavior
            Source: AppLaunch.exe, 0000000F.00000002.829085456.000001D722D78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW =
            Source: AppLaunch.exe, 0000000F.00000002.829085456.000001D722D78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D721D50000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D721D51000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7220D8000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722245000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7224F6000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722516000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722517000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D72251A000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D72251C000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D72251D000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7226FC000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7226FD000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C94000Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C1281Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C3DE0Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C3DE8Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C3DF0Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C3DF8Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C3E08Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C3E10Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722B97F6DJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722B9800CJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BACD24Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BACD95Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BB52C9Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BB5357Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BEACABJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BEAD1EJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BECC00Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C147A6Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C14830Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C267BDJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C2688DJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C2E091Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C2E11AJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C400AEJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C5301AJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C530AFJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C66582Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C6661EJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C73618Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C73630Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C73638Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C736C0Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C736D8Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C736E0Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C736E8Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C736F0Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 6401DA0010Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D721D50000 protect: page execute and read and writeJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D721D50000 value starts with: 4D5AJump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeThread register set: target process: 5728Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTEJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exeProcess created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "admin:(R,REA,RA,RD)Jump to behavior
            Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exeJump to behavior
            Source: AppLaunch.exe, 0000000F.00000002.826986346.00000064022FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dProgram Manager
            Source: IntelCacheUpdater.exe, 00000010.00000002.827251631.000001F1D6CD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Managerzx
            Source: AppLaunch.exe, 0000000F.00000002.826986346.00000064022FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: IntelCacheUpdater.exe, 00000010.00000002.827251631.000001F1D6CD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: IntelCacheUpdater.exe, 00000010.00000002.827251631.000001F1D6CD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: AppLaunch.exe, 0000000F.00000002.826986346.00000064022FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: perfmon.exe?Taskmgr.exeProgram Manager
            Source: IntelCacheUpdater.exe, 00000010.00000002.827251631.000001F1D6CD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Scheduled Task/Job
            1
            Scheduled Task/Job
            412
            Process Injection
            11
            Virtualization/Sandbox Evasion
            OS Credential Dumping11
            Security Software Discovery
            Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
            Non-Standard Port
            Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/Job1
            Services File Permissions Weakness
            1
            Scheduled Task/Job
            412
            Process Injection
            LSASS Memory11
            Virtualization/Sandbox Evasion
            Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Non-Application Layer Protocol
            Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)1
            Services File Permissions Weakness
            1
            Obfuscated Files or Information
            Security Account Manager2
            Process Discovery
            SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Application Layer Protocol
            Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Services File Permissions Weakness
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
            Remote System Discovery
            SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
            File and Directory Discovery
            VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
            System Information Discovery
            Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 780311 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 08/01/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 6 other signatures 2->53 7 IntelCacheUpdater.exe 2->7         started        10 SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe 4 2->10         started        13 IntelCacheUpdater.exe 2->13         started        process3 file4 55 Antivirus detection for dropped file 7->55 57 Writes to foreign memory regions 7->57 59 Allocates memory in foreign processes 7->59 63 2 other signatures 7->63 15 AppLaunch.exe 7->15         started        35 C:\ProgramData\...\IntelCacheUpdater.exe, PE32+ 10->35 dropped 37 C:\...\IntelCacheUpdater.exe:Zone.Identifier, ASCII 10->37 dropped 61 Uses schtasks.exe or at.exe to add and modify task schedules 10->61 19 icacls.exe 1 10->19         started        21 icacls.exe 1 10->21         started        23 schtasks.exe 1 10->23         started        25 icacls.exe 1 10->25         started        signatures5 process6 dnsIp7 39 51.15.54.102, 14444, 49696 OnlineSASFR France 15->39 41 xmr-eu1.nanopool.org 15->41 43 Query firmware table information (likely to detect VMs) 15->43 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 45 Detected Stratum mining protocol 39->45 process9

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe44%ReversingLabsWin64.Trojan.Tasker
            SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe56%VirustotalBrowse
            SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe100%Joe Sandbox ML
            SourceDetectionScannerLabelLink
            C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe100%AviraTR/Crypt.OPACK.Gen
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            https://xmrig.com/benchmark/%s0%URL Reputationsafe
            https://xmrig.com/wizard0%URL Reputationsafe
            https://xmrig.com/wizard%s0%URL Reputationsafe
            https://xmrig.com/docs/algorithms0%URL Reputationsafe

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            xmr-eu1.nanopool.org
            135.125.238.108
            truefalse
              high
              NameSourceMaliciousAntivirus DetectionReputation
              https://xmrig.com/benchmark/%sSecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, AppLaunch.exe, 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmpfalse
              • URL Reputation: safe
              unknown
              https://xmrig.com/wizardSecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, AppLaunch.exe, 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmpfalse
              • URL Reputation: safe
              unknown
              https://xmrig.com/wizard%sSecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, AppLaunch.exe, 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmpfalse
              • URL Reputation: safe
              unknown
              https://xmrig.com/docs/algorithmsSecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmpfalse
              • URL Reputation: safe
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              51.15.54.102
              unknownFrance
              12876OnlineSASFRtrue
              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:780311
              Start date and time:2023-01-08 20:35:13 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 11m 25s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:17
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.evad.mine.winEXE@17/2@1/1
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for sample files taking high CPU consumption
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
              • Execution Graph export aborted for target AppLaunch.exe, PID 5728 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtSetInformationFile calls found.
              TimeTypeDescription
              20:36:09Task SchedulerRun new task: IntelUpdaterTask path: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              51.15.54.102file.exeGet hashmaliciousBrowse
                file.exeGet hashmaliciousBrowse
                  file.exeGet hashmaliciousBrowse
                    file.exeGet hashmaliciousBrowse
                      file.exeGet hashmaliciousBrowse
                        file.exeGet hashmaliciousBrowse
                          file.exeGet hashmaliciousBrowse
                            WinUpdate.bin.exeGet hashmaliciousBrowse
                              mofcomp.exeGet hashmaliciousBrowse
                                mtOre6QlR1.exeGet hashmaliciousBrowse
                                  GsszZ7R99d.exeGet hashmaliciousBrowse
                                    YbobbV8n9S.exeGet hashmaliciousBrowse
                                      q1loKHVGJ6.exeGet hashmaliciousBrowse
                                        UW5ylDoXLs.exeGet hashmaliciousBrowse
                                          2mdb3OG6FM.exeGet hashmaliciousBrowse
                                            dllhost.exeGet hashmaliciousBrowse
                                              wJtL8lkk83.exeGet hashmaliciousBrowse
                                                YbVuzaXA3o.exeGet hashmaliciousBrowse
                                                  tSXyqrumfM.exeGet hashmaliciousBrowse
                                                    LAcZLfYrj5.exeGet hashmaliciousBrowse
                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      xmr-eu1.nanopool.orgfile.exeGet hashmaliciousBrowse
                                                      • 51.15.54.102
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.54.102
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.78.68
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.54.102
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.78.68
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.78.68
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.65.182
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.54.102
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.69.136
                                                      file.exeGet hashmaliciousBrowse
                                                      • 135.125.238.108
                                                      file.exeGet hashmaliciousBrowse
                                                      • 135.125.238.108
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.255.34.118
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.69.136
                                                      file.exeGet hashmaliciousBrowse
                                                      • 135.125.238.108
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.255.34.118
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.78.68
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.69.136
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.78.68
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.68.190.80
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.58.224
                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      OnlineSASFRfile.exeGet hashmaliciousBrowse
                                                      • 151.115.10.1
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.65.182
                                                      ZBdhdOCSw8.elfGet hashmaliciousBrowse
                                                      • 151.115.48.192
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.65.182
                                                      rM8kh7uPK0.elfGet hashmaliciousBrowse
                                                      • 51.15.103.82
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.78.68
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.69.136
                                                      DvuGZ73eK1.exeGet hashmaliciousBrowse
                                                      • 163.172.208.8
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.58.224
                                                      https://cammeteo.ru/fr/chto-za-fail-download-kak-otkryt-lyuboi-fail-chem-otkryt-pdf-fail-na/Get hashmaliciousBrowse
                                                      • 62.210.26.219
                                                      GFHSHDFSDFUOHSDFIOHJSDFOIHJ.exeGet hashmaliciousBrowse
                                                      • 51.15.78.68
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.69.136
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.65.182
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.65.182
                                                      PixelSee_id72271id.exeGet hashmaliciousBrowse
                                                      • 51.158.164.188
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.58.224
                                                      file.exeGet hashmaliciousBrowse
                                                      • 151.115.10.1
                                                      file.exeGet hashmaliciousBrowse
                                                      • 151.115.10.1
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.78.68
                                                      file.exeGet hashmaliciousBrowse
                                                      • 51.15.65.182
                                                      No context
                                                      No context
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Category:modified
                                                      Size (bytes):1156876496
                                                      Entropy (8bit):0.8937142925128981
                                                      Encrypted:false
                                                      SSDEEP:
                                                      MD5:E1DC50830CEA9CD7B7D76E372CF12945
                                                      SHA1:E8997605F20A0692C9A54138DC6351D29AB3B516
                                                      SHA-256:A69DD7DB2B4E233A9CD53923D8E6CA860012B0C805D17BC5D51FE7870A10F116
                                                      SHA-512:4D55D47B79BE215B5758A4CBE0D909F5CAD1867397142978426B1273176A82558762FFA7F0349D839EEE1D1DEFE20655E3A78F6533195E3C1F7339849D39102D
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......G.-f..C5..C5..C5.@4..C5.F4..C5e..5..C5Q.G4..C5Q.@4..C5Q.F4].C5.G4..C5..G4..C5..B5..C5.B4..C5.G4P.C5..J4..C5..@4..C5...5..C5...5..C5..A4..C5Rich..C5........PE..d....%.c.........."......d8...D......9.........@.............................P......giZ...`.................................................................;...............@.......;.......................=..(....5..8............................................text...(c8......................... ..`S(I))X)(......8.....................@..@UERMA(FT..+..PO.....................@...&#^JUAMN.....`z.....................@..@BXPR#EHVV....`|.....................@..`M)AVSKGU.&...p|.....................@..`DJ%Y)WXR......|.....................@..`$DG*YHKG......|.....................@..@JMM*HMY*<.....|..................... ..`VWTNI(*)h...........................@...YFSUA$*A.jY.....lY.................`..hIWANMY)R
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview:[ZoneTransfer]....ZoneId=0
                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Entropy (8bit):7.889927219388042
                                                      TrID:
                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                      • DOS Executable Generic (2002/1) 0.92%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
                                                      File size:5866496
                                                      MD5:fb3be4185b968faec0c3ab87fb4b35aa
                                                      SHA1:1178b06bceea6a8ef6d0a7e16d0b0e8fc600f9ce
                                                      SHA256:a0434fdcaec62f8af073f34c580a94cb58d21203f5edf2ccbbcc467b53570d87
                                                      SHA512:bd52fe456a64f33138aef978a2dce5226bda37c7443374d094cc8af820e985b37663c0242a701fb91e7bba963936f0d7f679ad16a2a01b422209d79b327a4b7d
                                                      SSDEEP:98304:DzcoXAO0U/5C+AhzryokB1KAQk3JLdaeHz2z/mqwuQQl4hiSKLJgtl4EPMuIF03H:DAo/0Uxe91w155B7HURwLS43njM50M
                                                      TLSH:FF46227D229C339CC01EC9B85027FD4AB2B2161E86F999ED71CAFAC07FEB4159541B06
                                                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......G.-f..C5..C5..C5..@4..C5..F4..C5e..5..C5Q.G4..C5Q.@4..C5Q.F4].C5..G4..C5..G4..C5..B5..C5..B4..C5..G4P.C5..J4..C5..@4..C5...5..C
                                                      Icon Hash:00828e8e8686b000
                                                      Entrypoint:0x140a93917
                                                      Entrypoint Section:YFSUA$*A
                                                      Digitally signed:false
                                                      Imagebase:0x140000000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x63B72582 [Thu Jan 5 19:31:14 2023 UTC]
                                                      TLS Callbacks:0x40a67abf, 0x1, 0x4034bf9c, 0x1
                                                      CLR (.Net) Version:
                                                      OS Version Major:6
                                                      OS Version Minor:0
                                                      File Version Major:6
                                                      File Version Minor:0
                                                      Subsystem Version Major:6
                                                      Subsystem Version Minor:0
                                                      Import Hash:e348149d1683ef4048816a2bc0991e05
                                                      Instruction
                                                      inc ecx
                                                      push edx
                                                      pushfd
                                                      dec ecx
                                                      mov edx, 7745210Ch
                                                      cli
                                                      dec ebx
                                                      jbe 00007F2864F2AD4Eh
                                                      dec ecx
                                                      not edx
                                                      dec ecx
                                                      test edx, 37196CA5h
                                                      inc ecx
                                                      not edx
                                                      dec esi
                                                      mov edx, dword ptr [esp+edx-77452104h]
                                                      dec eax
                                                      mov dword ptr [esp+08h], E223B617h
                                                      push dword ptr [esp+00h]
                                                      popfd
                                                      dec eax
                                                      lea esp, dword ptr [esp+08h]
                                                      call 00007F286537C51Ch
                                                      jnc 00007F2864F2AD7Dh
                                                      mov esi, 7AB078C9h
                                                      scasd
                                                      aaa
                                                      cmc
                                                      mov ch, 2Ch
                                                      inc ecx
                                                      js 00007F2864F2AD6Bh
                                                      push esp
                                                      cmpsb
                                                      leave
                                                      lahf
                                                      nop
                                                      mov esi, 5CC107C9h
                                                      loopne 00007F2864F2ACCBh
                                                      push cs
                                                      mov eax, B7358B2Fh
                                                      iretd
                                                      jecxz 00007F2864F2AD48h
                                                      nop
                                                      inc edi
                                                      push eax
                                                      enter 3FF5h, 22h
                                                      out C9h, al
                                                      mov al, 99h
                                                      mov byte ptr [152AC9B7h], al
                                                      jnbe 00007F2864F2AC93h
                                                      xor eax, 5565DC34h
                                                      enter C975h, 33h
                                                      mov ebx, 4B747CC9h
                                                      pop esp
                                                      wait
                                                      lodsb
                                                      sub dword ptr [esi+esi-3Bh], eax
                                                      add eax, 4C361A43h
                                                      in al, 30h
                                                      jno 00007F2864F2ACCCh
                                                      mov ebx, C9BCFCD3h
                                                      xchg byte ptr [eax+ebx*2-56h], bl
                                                      aaa
                                                      lds esp, fword ptr [edi]
                                                      xchg esi, edi
                                                      and al, 03h
                                                      and eax, 1F26F337h
                                                      push es
                                                      jl 00007F2864F2ACF4h
                                                      push FFFFFF91h
                                                      imul ebp, esp, AE6BEEC9h
                                                      xchg dword ptr [edi], esi
                                                      dec esi
                                                      adc ebx, edi
                                                      inc ecx
                                                      add dword ptr [eax], eax
                                                      add byte ptr [edi-5CDB0E33h], bh
                                                      add al, A8h
                                                      rcr al, 00000018h
                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa6d7c00xf0YFSUA$*A
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0xf23bc00x1feccYFSUA$*A
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xf440000xc8IWANMY)R
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xf23ba00x1cYFSUA$*A
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0xa73de00x28YFSUA$*A
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xf235c00x138YFSUA$*A
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x9ac0000xe0VWTNI(*)
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x3863280x0unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      S(I))X)(0x3880000x16c8b80x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      UERMA(FT0x4f50000x2b00b80x0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      &#^JUAMN0x7a60000x1fab80x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      BXPR#EHV0x7c60000xc560x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      M)AVSKGU0x7c70000x26d10x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      DJ%Y)WXR0x7ca0000x11840x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      $DG*YHKG0x7cc0000xf40x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      JMM*HMY*0x7cd0000x1de33c0x0False0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      VWTNI(*)0x9ac0000xe680x1000False0.029541015625data0.16020090306466317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      YFSUA$*A0x9ad0000x596a8c0x596c00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      IWANMY)R0xf440000xc80x200False0.333984375data1.9514876730930713IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                      DLLImport
                                                      WS2_32.dllrecv
                                                      IPHLPAPI.DLLGetAdaptersAddresses
                                                      USERENV.dllGetUserProfileDirectoryW
                                                      CRYPT32.dllCertFindCertificateInStore
                                                      KERNEL32.dllGetVersionExA
                                                      USER32.dllIsWindowVisible
                                                      SHELL32.dllSHGetSpecialFolderPathA
                                                      ole32.dllCoInitializeEx
                                                      ADVAPI32.dllSystemFunction036
                                                      bcrypt.dllBCryptGenRandom
                                                      KERNEL32.dllLocalAlloc, LocalFree, GetModuleFileNameW, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

                                                      Download Network PCAP: filteredfull

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      192.168.2.451.15.54.10249696144442831812 01/08/23-20:38:20.193810TCP2831812ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8)4969614444192.168.2.451.15.54.102
                                                      • Total Packets: 8
                                                      • 14444 undefined
                                                      • 53 (DNS)
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 8, 2023 20:38:20.147716045 CET4969614444192.168.2.451.15.54.102
                                                      Jan 8, 2023 20:38:20.189132929 CET144444969651.15.54.102192.168.2.4
                                                      Jan 8, 2023 20:38:20.189287901 CET4969614444192.168.2.451.15.54.102
                                                      Jan 8, 2023 20:38:20.193809986 CET4969614444192.168.2.451.15.54.102
                                                      Jan 8, 2023 20:38:20.231337070 CET144444969651.15.54.102192.168.2.4
                                                      Jan 8, 2023 20:38:20.244035006 CET144444969651.15.54.102192.168.2.4
                                                      Jan 8, 2023 20:38:20.378648043 CET4969614444192.168.2.451.15.54.102
                                                      Jan 8, 2023 20:38:39.675834894 CET144444969651.15.54.102192.168.2.4
                                                      Jan 8, 2023 20:38:39.770972013 CET4969614444192.168.2.451.15.54.102
                                                      Jan 8, 2023 20:39:36.903692007 CET144444969651.15.54.102192.168.2.4
                                                      Jan 8, 2023 20:39:36.947606087 CET4969614444192.168.2.451.15.54.102
                                                      Jan 8, 2023 20:40:28.229438066 CET144444969651.15.54.102192.168.2.4
                                                      Jan 8, 2023 20:40:28.280016899 CET4969614444192.168.2.451.15.54.102
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 8, 2023 20:38:20.083599091 CET5091153192.168.2.48.8.8.8
                                                      Jan 8, 2023 20:38:20.103724003 CET53509118.8.8.8192.168.2.4
                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Jan 8, 2023 20:38:20.083599091 CET192.168.2.48.8.8.80xaad8Standard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false
                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Jan 8, 2023 20:38:20.103724003 CET8.8.8.8192.168.2.40xaad8No error (0)xmr-eu1.nanopool.org135.125.238.108A (IP address)IN (0x0001)false
                                                      Jan 8, 2023 20:38:20.103724003 CET8.8.8.8192.168.2.40xaad8No error (0)xmr-eu1.nanopool.org51.68.190.80A (IP address)IN (0x0001)false
                                                      Jan 8, 2023 20:38:20.103724003 CET8.8.8.8192.168.2.40xaad8No error (0)xmr-eu1.nanopool.org51.15.69.136A (IP address)IN (0x0001)false
                                                      Jan 8, 2023 20:38:20.103724003 CET8.8.8.8192.168.2.40xaad8No error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false
                                                      Jan 8, 2023 20:38:20.103724003 CET8.8.8.8192.168.2.40xaad8No error (0)xmr-eu1.nanopool.org51.15.78.68A (IP address)IN (0x0001)false
                                                      Jan 8, 2023 20:38:20.103724003 CET8.8.8.8192.168.2.40xaad8No error (0)xmr-eu1.nanopool.org51.15.54.102A (IP address)IN (0x0001)false
                                                      Target ID:0
                                                      Start time:20:36:04
                                                      Start date:08/01/2023
                                                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
                                                      Imagebase:0x7ff757340000
                                                      File size:5866496 bytes
                                                      MD5 hash:FB3BE4185B968FAEC0C3AB87FB4B35AA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                                      • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                      Reputation:low
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                      Target ID:1
                                                      Start time:20:36:07
                                                      Start date:08/01/2023
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTE
                                                      Imagebase:0x7ff67b4d0000
                                                      File size:226816 bytes
                                                      MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                      Target ID:2
                                                      Start time:20:36:07
                                                      Start date:08/01/2023
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c72c0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Target ID:3
                                                      Start time:20:36:07
                                                      Start date:08/01/2023
                                                      Path:C:\Windows\System32\icacls.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)
                                                      Imagebase:0x7ff784b20000
                                                      File size:36864 bytes
                                                      MD5 hash:2F768115A6D01814354518DE29EE7CFE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate

                                                      Target ID:4
                                                      Start time:20:36:08
                                                      Start date:08/01/2023
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c72c0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Target ID:5
                                                      Start time:20:36:08
                                                      Start date:08/01/2023
                                                      Path:C:\Windows\System32\icacls.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)
                                                      Imagebase:0x7ff784b20000
                                                      File size:36864 bytes
                                                      MD5 hash:2F768115A6D01814354518DE29EE7CFE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate

                                                      Target ID:6
                                                      Start time:20:36:08
                                                      Start date:08/01/2023
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c72c0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Target ID:7
                                                      Start time:20:36:08
                                                      Start date:08/01/2023
                                                      Path:C:\Windows\System32\icacls.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "admin:(R,REA,RA,RD)
                                                      Imagebase:0x7ff784b20000
                                                      File size:36864 bytes
                                                      MD5 hash:2F768115A6D01814354518DE29EE7CFE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate

                                                      Target ID:8
                                                      Start time:20:36:08
                                                      Start date:08/01/2023
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c72c0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Target ID:14
                                                      Start time:20:38:10
                                                      Start date:08/01/2023
                                                      Path:C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
                                                      Imagebase:0x7ff6b8bc0000
                                                      File size:1156876496 bytes
                                                      MD5 hash:E5D5641CC9E28BC2C2A5FB15FD39249F
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth
                                                      • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                      • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      Reputation:low

                                                      Target ID:15
                                                      Start time:20:38:17
                                                      Start date:08/01/2023
                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                                      Imagebase:0x7ff7296c0000
                                                      File size:119904 bytes
                                                      MD5 hash:98A8F518B66BA43DF38821C364C3B791
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.828300588.000001D7221FD000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.829305364.000001D722DB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000000F.00000002.828171244.000001D722167000.00000002.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.829085456.000001D722D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.828946727.000001D722D48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:moderate

                                                      Target ID:16
                                                      Start time:20:40:09
                                                      Start date:08/01/2023
                                                      Path:C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
                                                      Wow64 process (32bit):
                                                      Commandline:C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
                                                      Imagebase:
                                                      File size:1156876496 bytes
                                                      MD5 hash:E5D5641CC9E28BC2C2A5FB15FD39249F
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth
                                                      • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                      • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                                                      Reputation:low

                                                      No disassembly