Edit tour

Windows Analysis Report
01904399.dat.exe

Overview

General Information

Sample Name:	01904399.dat.exe
Analysis ID:	876764
MD5:	33b4baef7b0a6ad57a7d30af324c4efd
SHA1:	b169a559615a8448d7ed7da56d36a6850d2092e2
SHA256:	3a48d4a5106dd9ba74e5fccfe58bf65581ee894d7f3ca1b15e6680fc912cd150
Tags:	CoinMiner
Infos:

Detection

LoaderBot, Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Sigma detected: Drops script at startup location

Multi AV Scanner detection for dropped file

Yara detected LoaderBot

Sigma detected: Xmrig

Found strings related to Crypto-Mining

Detected Stratum mining protocol

Machine Learning detection for sample

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

IP address seen in connection with other malware

Entry point lies outside standard sections

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a start menu entry (Start Menu\Programs\Startup)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

01904399.dat.exe (PID: 5684 cmdline: C:\Users\user\Desktop\01904399.dat.exe MD5: 33B4BAEF7B0A6AD57A7D30AF324C4EFD)

Driver.exe (PID: 4628 cmdline: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2 MD5: 02569A7A91A71133D4A1023BF32AA6F4)

conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

01904399.dat.exe (PID: 7132 cmdline: "C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe" MD5: 33B4BAEF7B0A6AD57A7D30AF324C4EFD)

01904399.dat.exe (PID: 4676 cmdline: "C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe" MD5: 33B4BAEF7B0A6AD57A7D30AF324C4EFD)

01904399.dat.exe (PID: 676 cmdline: "C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe" MD5: 33B4BAEF7B0A6AD57A7D30AF324C4EFD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
01904399.dat.exe	JoeSecurity_LoaderBot	Yara detected LoaderBot	Joe Security
01904399.dat.exe	MALWARE_Win_CoinMiner04	Detects coinmining malware	ditekSHen	0x3f5535:$s1: createDll 0x3f5821:$s2: getTasks 0x3f568f:$s3: SetStartup 0x3f5563:$s4: loadUrl 0x3f5712:$s5: Processer 0x3f588e:$s6: checkProcess 0x3f589b:$s7: runProcess 0x3f573a:$s8: createDir 0x3f5a4f:$cnc1: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 0x3f5ae3:$cnc2: ?hwid= 0x3f5b13:$cnc3: ?timeout=1 0x3f5c45:$cnc4: &completed=

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	URL_File_Local_EXE	Detects an .url file that points to a local executable	Florian Roth (Nextron Systems)	0x0:$s1: [InternetShortcut] 0x14:$s2: URL=file:///C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	Methodology_Suspicious_Shortcut_Local_URL	Detects local script usage for .URL persistence	@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)	0x14:$file: URL=file:/// 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.822561306.0000000000510000.00000004.00000020.00020000.00000000.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x34a4:$s03: -o pool.
00000002.00000002.823432979.000001C49DE04000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000001.00000002.822561306.000000000053B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000000.551027505.00000000005FC000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_LoaderBot	Yara detected LoaderBot	Joe Security
00000001.00000002.822561306.0000000000518000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: 01904399.dat.exe PID: 5684	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x1b90:$s03: -o pool. 0x23cc:$s03: -o pool. 0x26420:$s03: -o pool. 0x2da40:$s03: -o pool.
Process Memory Space: 01904399.dat.exe PID: 5684	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: 01904399.dat.exe PID: 5684	JoeSecurity_LoaderBot	Yara detected LoaderBot	Joe Security
Process Memory Space: Driver.exe PID: 4628	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x722:$s03: -o pool. 0xa5e:$s03: -o pool. 0xb3b:$s03: -o pool.
Process Memory Space: Driver.exe PID: 4628	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: conhost.exe PID: 5468	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.01904399.dat.exe.380000.0.unpack	JoeSecurity_LoaderBot	Yara detected LoaderBot	Joe Security
0.0.01904399.dat.exe.380000.0.unpack	MALWARE_Win_CoinMiner04	Detects coinmining malware	ditekSHen	0x3f5535:$s1: createDll 0x3f5821:$s2: getTasks 0x3f568f:$s3: SetStartup 0x3f5563:$s4: loadUrl 0x3f5712:$s5: Processer 0x3f588e:$s6: checkProcess 0x3f589b:$s7: runProcess 0x3f573a:$s8: createDir 0x3f5a4f:$cnc1: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 0x3f5ae3:$cnc2: ?hwid= 0x3f5b13:$cnc3: ?timeout=1 0x3f5c45:$cnc4: &completed=

Sigma Signatures

Bitcoin Miner

Sigma detected: Xmrig

Source: Process started

Author: Joe Security: Data: Command: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2, CommandLine: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe, NewProcessName: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe, ParentCommandLine: C:\Users\user\Desktop\01904399.dat.exe, ParentImage: C:\Users\user\Desktop\01904399.dat.exe, ParentProcessId: 5684, ParentProcessName: 01904399.dat.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2, ProcessId: 4628, ProcessName: Driver.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\01904399.dat.exe, ProcessId: 5684, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 01904399.dat.exe	ReversingLabs: Detection: 81%
Source: 01904399.dat.exe	Virustotal: Detection: 77%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: 01904399.dat.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe	Virustotal: Detection: 70%			Perma Link

Machine Learning detection for sample

Source: 01904399.dat.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.823432979.000001C49DE04000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.822561306.000000000053B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.822561306.0000000000518000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 01904399.dat.exe PID: 5684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Driver.exe PID: 4628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 5468, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: 01904399.dat.exe, 00000000.00000000.551027505.0000000000382000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: @cryptonight/0cn
Source: conhost.exe, 00000002.00000002.823454090.000001C49E130000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: XMRig 6.2.2sv

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.4:49694 -> 141.94.96.71:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"427x8gux5jrrgk4v7grcwk85mwpjcan7djgqbabcetdqc5bivy27pept3ctx43qmladkaardf4kw4hiozmdq7ehrnczdnfm","pass":"x","agent":"xmrig/6.2.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/wrkz","astrobwt","kawpow"]}}.

Source: 01904399.dat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 01904399.dat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_00FCBAA8
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 4x nop then jmp 00FC0FA9h	0_2_00FC0E48
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 4x nop then jmp 00FC2A7Eh	0_2_00FC2613
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_00FC08E0
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_00FC018C
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_00FC0189
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_00FCBA9D
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_00FCC3C8
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_00FCC3BD
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00FC452C
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00FC652D
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	3_2_0147B398
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then jmp 014726B6h	3_2_0147224B
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	3_2_0147018C
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	3_2_014708E0
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	3_2_0147B38D
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	3_2_014732D0
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	3_2_0147BCAD
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	3_2_0147BCB8
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then jmp 01470FA9h	3_2_01470E48
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then jmp 01470FA9h	3_2_01470E58
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	3_2_01475E1C
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then jmp 00F524F6h	4_2_00F5208B
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	4_2_00F5B398
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	4_2_00F508E0
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	4_2_00F5018C
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	4_2_00F50189
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_00F532D0
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	4_2_00F5B38D
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	4_2_00F5BCB8
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	4_2_00F5BCAD
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then jmp 00F50FA9h	4_2_00F50E48
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_00F55E1C
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then jmp 02FD24F6h	5_2_02FD208B
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then jmp 02FD0FA9h	5_2_02FD0E48
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	5_2_02FD08E0
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	5_2_02FD018C
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	5_2_02FD0189

Source: Joe Sandbox View

ASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese

Source: Joe Sandbox View

IP Address: 141.94.96.71 141.94.96.71

Source: global traffic

TCP traffic: 192.168.2.4:49694 -> 141.94.96.71:3333

Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 01904399.dat.exe, Driver.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: pool.supportxmr.com

Source: 01904399.dat.exe, 00000000.00000002.588365499.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 01904399.dat.exe, type: SAMPLE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0.0.01904399.dat.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen

Source: 01904399.dat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 01904399.dat.exe, type: SAMPLE	Matched rule: MALWARE_Win_CoinMiner04 author = ditekSHen, description = Detects coinmining malware
Source: 0.0.01904399.dat.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner04 author = ditekSHen, description = Detects coinmining malware
Source: 00000001.00000002.822561306.0000000000510000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: 01904399.dat.exe PID: 5684, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: Driver.exe PID: 4628, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url, type: DROPPED	Matched rule: URL_File_Local_EXE date = 2017-10-04, author = Florian Roth (Nextron Systems), description = Detects an .url file that points to a local executable, score = , reference = https://twitter.com/malwareforme/status/915300883012870144, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url, type: DROPPED	Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044

Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 0_2_00FC2AE8	0_2_00FC2AE8
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 0_2_00FCAFD0	0_2_00FCAFD0
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 0_2_00FCC788	0_2_00FCC788
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 0_2_00FCA1A0	0_2_00FCA1A0
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 0_2_00FC2AD9	0_2_00FC2AD9
Source: C:\Users\user\Desktop\01904399.dat.exe	Code function: 0_2_00FC9C50	0_2_00FC9C50
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 3_2_0147A8C0	3_2_0147A8C0
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 3_2_01472720	3_2_01472720
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 3_2_01479A90	3_2_01479A90
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 3_2_01479540	3_2_01479540
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 3_2_0147270F	3_2_0147270F
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4_2_00F5A8C0	4_2_00F5A8C0
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4_2_00F52560	4_2_00F52560
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4_2_00F59A90	4_2_00F59A90
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4_2_00F59540	4_2_00F59540
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 4_2_00F5254F	4_2_00F5254F
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 5_2_02FD2560	5_2_02FD2560
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Code function: 5_2_02FD254F	5_2_02FD254F

Source: 01904399.dat.exe, 00000000.00000000.553802307.000000000077A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename0 vs 01904399.dat.exe
Source: 01904399.dat.exe, 00000000.00000002.588365499.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 01904399.dat.exe
Source: 01904399.dat.exe, 00000003.00000002.645598292.00000000010EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 01904399.dat.exe
Source: 01904399.dat.exe, 00000004.00000002.714201052.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 01904399.dat.exe
Source: 01904399.dat.exe, 00000005.00000002.647446627.000000000139A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 01904399.dat.exe
Source: 01904399.dat.exe	Binary or memory string: OriginalFilename0 vs 01904399.dat.exe

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe 8D6ABBA9B216172CFC64B8802DB0D20A1C634C96E1049F451EDDBA2363966BF0

Source: 01904399.dat.exe	ReversingLabs: Detection: 81%
Source: 01904399.dat.exe	Virustotal: Detection: 77%

Source: 01904399.dat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\01904399.dat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\01904399.dat.exe C:\Users\user\Desktop\01904399.dat.exe
Source: C:\Users\user\Desktop\01904399.dat.exe	Process created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2
Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe "C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe "C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe "C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe"
Source: C:\Users\user\Desktop\01904399.dat.exe	Process created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2	Jump to behavior

Source: C:\Users\user\Desktop\01904399.dat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\01904399.dat.exe

File created: C:\Users\user\AppData\Roaming\Sysfiles

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.mine.winEXE@7/2@1/1

Source: C:\Users\user\Desktop\01904399.dat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 01904399.dat.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\01904399.dat.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_01

Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\01904399.dat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 01904399.dat.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 01904399.dat.exe

Static file information: File size 4156928 > 1048576

Source: 01904399.dat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 01904399.dat.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3f6400

Source: 01904399.dat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected LoaderBot

Source: Yara match	File source: 01904399.dat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.01904399.dat.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.551027505.00000000005FC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 01904399.dat.exe PID: 5684, type: MEMORYSTR

Source: Driver.exe.0.dr	Static PE information: section name: .MPRESS1
Source: Driver.exe.0.dr	Static PE information: section name: .MPRESS2

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

Source: Driver.exe.0.dr

Static PE information: real checksum: 0x3f8bb4 should be: 0x3fb52d

Source: C:\Users\user\Desktop\01904399.dat.exe

File created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe

Jump to dropped file

Source: C:\Users\user\Desktop\01904399.dat.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

Jump to behavior

Source: C:\Users\user\Desktop\01904399.dat.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

Jump to behavior

Source: C:\Users\user\Desktop\01904399.dat.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Driver			Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Driver			Jump to behavior

Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\01904399.dat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: Driver.exe, 00000001.00000002.822561306.000000000053B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\01904399.dat.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\01904399.dat.exe

Code function: 0_2_00FC2AE8 LdrInitializeThunk,

0_2_00FC2AE8

Source: C:\Users\user\Desktop\01904399.dat.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\01904399.dat.exe

Process created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2

Jump to behavior

Source: conhost.exe, 00000002.00000002.822792386.000001C49C5C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Managerzx
Source: conhost.exe, 00000002.00000002.822792386.000001C49C5C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000002.00000002.822792386.000001C49C5C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000002.00000002.822792386.000001C49C5C0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\01904399.dat.exe	Queries volume information: C:\Users\user\Desktop\01904399.dat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\01904399.dat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Queries volume information: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Queries volume information: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Queries volume information: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	21 Registry Run Keys / Startup Folder	12 Process Injection	1 Masquerading	1 Input Capture	11 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	21 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	11 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
01904399.dat.exe	81%	ReversingLabs	ByteCode-MSIL.Coinminer.Malxmr
01904399.dat.exe	77%	Virustotal		Browse
01904399.dat.exe	100%	Avira	TR/ATRAPS.Gen
01904399.dat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe	71%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe	70%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pool-fr.supportxmr.com	141.94.96.195	true	false		high
pool.supportxmr.com	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.94.96.71	unknown	Germany		680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	876764
Start date and time:	2023-05-27 11:21:02 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	01904399.dat.exe
Detection:	MAL
Classification:	mal100.troj.expl.mine.winEXE@7/2@1/1
EGA Information:	Successful, ratio: 75%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Execution Graph export aborted for target 01904399.dat.exe, PID 676 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:22:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe
11:22:21	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe
11:22:33	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
141.94.96.71	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	KMSPicoSetup.exe	Get hash	malicious	Xmrig	Browse
	target.ps1	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	LoaderBot, Xmrig	Browse
	file.exe	Get hash	malicious	RHADAMANTHYS, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	PrivateLoader, RHADAMANTHYS, Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pool-fr.supportxmr.com	Vsob3IooE7.exe	Get hash	malicious	Xmrig	Browse	141.94.96.144
	ruZVRNvu0Y.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	141.94.96.71
	GameBar.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71
	FTrondtloadws.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71
	file.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71
	file.exe	Get hash	malicious	Xmrig	Browse	141.94.96.144
	GoogleUpdate.exe	Get hash	malicious	Xmrig	Browse	141.94.96.144
	KMSPicoSetup.exe	Get hash	malicious	Xmrig	Browse	141.94.96.195
	WvWlWr2HC0.exe	Get hash	malicious	LoaderBot, RedLine, SmokeLoader, Vidar, Xmrig, zgRAT	Browse	141.94.96.144
	spread.exe	Get hash	malicious	ETERNALBLUE, Xmrig	Browse	141.94.96.144
	target.ps1	Get hash	malicious	Xmrig	Browse	141.94.96.144
	Activator.exe	Get hash	malicious	Xmrig	Browse	141.94.96.144
	d.py	Get hash	malicious	PwnRig Miner	Browse	141.94.96.71
	file.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	141.94.96.195
	PYnsVrS3EX.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71
	PYnsVrS3EX.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71
	file.exe	Get hash	malicious	RHADAMANTHYS, RedLine, Xmrig	Browse	141.94.96.71
	DHL ORIGINAL DOCUMENTS.exe	Get hash	malicious	RHADAMANTHYS, Xmrig	Browse	141.94.96.71
	DHL Original Documents.exe	Get hash	malicious	RHADAMANTHYS, Xmrig	Browse	141.94.96.144
	file.exe	Get hash	malicious	RHADAMANTHYS, Vidar, Xmrig	Browse	141.94.96.71

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	tiOxLaAfn6.elf	Get hash	malicious	Mirai	Browse	141.50.141.19
	https://filehippo.com/download_postgresql/9.1.5/	Get hash	malicious	Unknown	Browse	141.94.171.215
	https://urlz.fr/lW3z	Get hash	malicious	Unknown	Browse	141.95.171.142
	http://aarp.org/research	Get hash	malicious	HTMLPhisher	Browse	141.94.171.216
	https://tux-typing.fr.softonic.com	Get hash	malicious	Unknown	Browse	141.95.171.141
	Vsob3IooE7.exe	Get hash	malicious	Xmrig	Browse	141.94.96.144
	MTSpago3242142023.xls	Get hash	malicious	GuLoader	Browse	141.94.149.125
	D4EATj8S1c.elf	Get hash	malicious	Mirai, Moobot	Browse	141.9.112.43
	c7n8Y8b877.elf	Get hash	malicious	Unknown	Browse	212.201.156.65
	xyK0juuSuG.elf	Get hash	malicious	Mirai, Moobot	Browse	134.77.67.255
	ruZVRNvu0Y.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	141.94.96.195
	GameBar.exe	Get hash	malicious	Xmrig	Browse	141.94.96.144
	SPL242523535252525235.xls	Get hash	malicious	FormBook	Browse	141.94.149.125
	feobBkGOei.elf	Get hash	malicious	Mirai	Browse	195.37.8.77
	VsAKb3sxAu.elf	Get hash	malicious	Mirai	Browse	141.65.230.90
	iHDZW6bttX.elf	Get hash	malicious	Mirai	Browse	193.174.13.220
	OBBVGwjkM1.elf	Get hash	malicious	Mirai	Browse	141.60.164.212
	FWcYZPr3YJ.elf	Get hash	malicious	Unknown	Browse	141.65.242.27
	p1FejiLL02.elf	Get hash	malicious	Mirai	Browse	130.183.198.220
	xoeNOJm8Gu.elf	Get hash	malicious	Unknown	Browse	130.183.251.24

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe	Vsob3IooE7.exe	Get hash	malicious	Xmrig	Browse
	ruZVRNvu0Y.exe	Get hash	malicious	LoaderBot, Xmrig	Browse
	file.exe	Get hash	malicious	LoaderBot, Xmrig	Browse
	WvWlWr2HC0.exe	Get hash	malicious	LoaderBot, RedLine, SmokeLoader, Vidar, Xmrig, zgRAT	Browse
	file.exe	Get hash	malicious	LoaderBot, Xmrig	Browse
	8ulUl36eYw.exe	Get hash	malicious	Fabookie, ManusCrypt, PrivateLoader, Raccoon Stealer v2, RedLine, SmokeLoader, Tofsee	Browse
	file.exe	Get hash	malicious	RedLine, Xmrig	Browse
	2CH4QX76nU.exe	Get hash	malicious	LoaderBot, Xmrig	Browse
	mQRqXgFxJR.exe	Get hash	malicious	LoaderBot Xmrig	Browse
	tIH5DUSVGF.exe	Get hash	malicious	LoaderBot Xmrig	Browse
	rnFMPDf3RV.exe	Get hash	malicious	LoaderBot RedLine Xmrig	Browse
	VJO8DJVqC0.exe	Get hash	malicious	LoaderBot Xmrig	Browse
	lcDlB6uuzr.exe	Get hash	malicious	LoaderBot RedLine Xmrig	Browse
	3Yfr0pHudU.exe	Get hash	malicious	LoaderBot Xmrig	Browse
	5622_1647967473_729.exe	Get hash	malicious	Xmrig	Browse
	2862_1647970205_130.exe	Get hash	malicious	Xmrig	Browse
	SGH9m3w8Hx.exe	Get hash	malicious	Xmrig	Browse
	WQw4XERnFl.exe	Get hash	malicious	Xmrig	Browse
	8vprKeDXuJ.exe	Get hash	malicious	RedLine Xmrig	Browse
	4nmeEJrZJ9.exe	Get hash	malicious	Phoenix Stealer Xmrig	Browse

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

Download File

Process:	C:\Users\user\Desktop\01904399.dat.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	168
Entropy (8bit):	5.1739624008988345
Encrypted:	false
SSDEEP:	3:HRAbABGQYm5uOt+kiEaKC5SQn+cVp1EQJ4ovstwWDt+WfWVUY1TEiWXU:HRYFVmwOwknaZ5ljv1EQJlvstwWDwv+8
MD5:	A8B170918085F6C5759A2AE873617DB7
SHA1:	103F652A0218AC82554B914519C68230CF2BC81A
SHA-256:	CDE88B7687C1D32F6A6C51AD0AE2A3C19F0C59EC0E2661CCD20475DD4BC7D695
SHA-512:	2E42921FD89B0B450696CEF4105C287E34B422F48E43FE2330673A6C3AD13351EA9000312354E7455EA774CBD885D23EA859CDBBF57B5F53B3A5E9133E459C4F
Malicious:	true
Yara Hits:	Rule: URL_File_Local_EXE, Description: Detects an .url file that points to a local executable, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url, Author: Florian Roth (Nextron Systems) Rule: Methodology_Suspicious_Shortcut_Local_URL, Description: Detects local script usage for .URL persistence, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url, Author: @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
Preview:	[InternetShortcut]..URL=file:///C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe..IconIndex=0..IconFile=C:\Users\user\Desktop\01904399.dat.exe\backup (3).ico..

C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe

Download File

Process:	C:\Users\user\Desktop\01904399.dat.exe
File Type:	MS-DOS executable PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	4141064
Entropy (8bit):	5.210440836800201
Encrypted:	false
SSDEEP:	49152:SNDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3Z:wzP88fBsnZTgOtqB3m1RC3Z
MD5:	02569A7A91A71133D4A1023BF32AA6F4
SHA1:	0F16BCB3F3F085D3D3BE912195558E9F9680D574
SHA-256:	8D6ABBA9B216172CFC64B8802DB0D20A1C634C96E1049F451EDDBA2363966BF0
SHA-512:	534BE1FE93EE556A14CFD8FAD5377F57FB056AB4CD2BCA14E4F376F4A25D3D4D270917D68A90B3C40D8A8DAAEBA6F592FA095ECFF478332BA23405D1DF728322
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 70%, Browse
Joe Sandbox View:	Filename: Vsob3IooE7.exe, Detection: malicious, Browse Filename: ruZVRNvu0Y.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: WvWlWr2HC0.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 8ulUl36eYw.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 2CH4QX76nU.exe, Detection: malicious, Browse Filename: mQRqXgFxJR.exe, Detection: malicious, Browse Filename: tIH5DUSVGF.exe, Detection: malicious, Browse Filename: rnFMPDf3RV.exe, Detection: malicious, Browse Filename: VJO8DJVqC0.exe, Detection: malicious, Browse Filename: lcDlB6uuzr.exe, Detection: malicious, Browse Filename: 3Yfr0pHudU.exe, Detection: malicious, Browse Filename: 5622_1647967473_729.exe, Detection: malicious, Browse Filename: 2862_1647970205_130.exe, Detection: malicious, Browse Filename: SGH9m3w8Hx.exe, Detection: malicious, Browse Filename: WQw4XERnFl.exe, Detection: malicious, Browse Filename: 8vprKeDXuJ.exe, Detection: malicious, Browse Filename: 4nmeEJrZJ9.exe, Detection: malicious, Browse
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......^.........."...........k.....N2.........@.............................P........?... ..................................................0..P....@..../...W.......>..:...........................................................0...............................MPRESS1. ...............................MPRESS2.....0...........................rsrc...../..@..../.................@..............................................................v2.19..L...H...(.@.......H.......H.....`..f.@....H....O..H..(..0...&......*.....4%. 0.h. <...W..3.3.A...(.....1(.....0 ...0@.......`..N..Q.......w.....3.H...]K..X.ev.u. [.? L._.k\...........G..q\....Q..@. ......_0...+.........!.8..X0.W....t.".I.%. .. .............~.....~....S.~Cp.W:~..................O.A ...p\........L..`..O..........3.i.e...lA..A.....H...I;..\|.....O=.p....-..........3..K/.. ~.@.Q0G.."...Q......)..(..".!......@..P.)...%O.H.1......X0......G.X.XP....^Q..5\|^2.E

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.213667050308117
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	01904399.dat.exe
File size:	4156928
MD5:	33b4baef7b0a6ad57a7d30af324c4efd
SHA1:	b169a559615a8448d7ed7da56d36a6850d2092e2
SHA256:	3a48d4a5106dd9ba74e5fccfe58bf65581ee894d7f3ca1b15e6680fc912cd150
SHA512:	739759d92a9e48e41b0366104ac9edf469cd8f323bbef0b507e3351cf081869ed069b88927fa70329d655012702385a74686df921a62dba95d7ec138a1e46690
SSDEEP:	49152:ENDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3:SzP88fBsnZTgOtqB3m1RC3
TLSH:	1716AE12BBD58F2BC5564B388AE783647379DC904B43575BA34AB12D3DB23E02B871D8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^=_..............0..d?.........n.?.. ....?...@.. ........................?.....r.?...`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x7f826e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F3D5ECA [Wed Aug 19 17:18:02 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3f821c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3fa000	0x56e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3fc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3f6274	0x3f6400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3fa000	0x56e	0x600	False	0.4108072916666667	data	3.977161648473712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3fc000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x3fa0a0	0x2e4	data
RT_MANIFEST	0x3fa384	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2023 11:22:16.013044119 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:22:16.032238007 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:22:16.032382965 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:22:16.032670021 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:22:16.051829100 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:22:16.052047014 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:22:16.097611904 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:22:17.790553093 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:22:17.925959110 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:22:30.278016090 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:22:30.505156994 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:22:30.522566080 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:22:30.522671938 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:22:36.971442938 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:22:37.130740881 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:22:50.622674942 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:22:50.819340944 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:23:04.271902084 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:23:04.323276043 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:23:07.499193907 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:23:07.617696047 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:23:19.171196938 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:23:19.321840048 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:23:30.329309940 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:23:30.510268927 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:23:32.962342024 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:23:33.010979891 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:24:03.483032942 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:24:03.622493982 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:24:14.343648911 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:24:14.388997078 CEST	49694	3333	192.168.2.4	141.94.96.71
May 27, 2023 11:24:25.880757093 CEST	3333	49694	141.94.96.71	192.168.2.4
May 27, 2023 11:24:25.921307087 CEST	49694	3333	192.168.2.4	141.94.96.71

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2023 11:22:15.970175028 CEST	59683	53	192.168.2.4	8.8.8.8
May 27, 2023 11:22:16.004996061 CEST	53	59683	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 27, 2023 11:22:15.970175028 CEST	192.168.2.4	8.8.8.8	0xde18	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 27, 2023 11:22:16.004996061 CEST	8.8.8.8	192.168.2.4	0xde18	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2023 11:22:16.004996061 CEST	8.8.8.8	192.168.2.4	0xde18	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 27, 2023 11:22:16.004996061 CEST	8.8.8.8	192.168.2.4	0xde18	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 27, 2023 11:22:16.004996061 CEST	8.8.8.8	192.168.2.4	0xde18	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:22:04
Start date:	27/05/2023
Path:	C:\Users\user\Desktop\01904399.dat.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\01904399.dat.exe
Imagebase:	0x380000
File size:	4156928 bytes
MD5 hash:	33B4BAEF7B0A6AD57A7D30AF324C4EFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_LoaderBot, Description: Yara detected LoaderBot, Source: 00000000.00000000.551027505.00000000005FC000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	11:22:15
Start date:	27/05/2023
Path:	C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 2
Imagebase:	0x140000000
File size:	4141064 bytes
MD5 hash:	02569A7A91A71133D4A1023BF32AA6F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000001.00000002.822561306.0000000000510000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000002.822561306.000000000053B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000002.822561306.0000000000518000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs Detection: 70%, Virustotal, Browse
Reputation:	moderate

Show Windows behavior

Target ID:	2
Start time:	11:22:15
Start date:	27/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000002.00000002.823432979.000001C49DE04000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	11:22:19
Start date:	27/05/2023
Path:	C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe"
Imagebase:	0x6e0000
File size:	4156928 bytes
MD5 hash:	33B4BAEF7B0A6AD57A7D30AF324C4EFD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	11:22:31
Start date:	27/05/2023
Path:	C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe"
Imagebase:	0x440000
File size:	4156928 bytes
MD5 hash:	33B4BAEF7B0A6AD57A7D30AF324C4EFD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	11:22:43
Start date:	27/05/2023
Path:	C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Sysfiles\01904399.dat.exe"
Imagebase:	0xb10000
File size:	4156928 bytes
MD5 hash:	33B4BAEF7B0A6AD57A7D30AF324C4EFD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	19.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	50%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00FC2613 Relevance: 1.8, APIs: 1, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00FC2613

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6605166c3abf4429f916061f29f6513e170dc1a6d234b3d0ebbeccd2ebe17105
Instruction ID: 774a2024a2bd1a245440c3c7d68e5e1f8dc8a239084e1d907af6d927863d5cbb
Opcode Fuzzy Hash: 6605166c3abf4429f916061f29f6513e170dc1a6d234b3d0ebbeccd2ebe17105
Instruction Fuzzy Hash: 74D19C74E01219CFDB64DFA8C994B9DBBB2BF49300F2480AAD409A7351DB34AE81DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2AE8 Relevance: 1.7, APIs: 1, Instructions: 192
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00FC2B88

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03621a0a76241e5bc0a4407a3bf07df8cc18d4ebc3efc7de5842519082e22902
Instruction ID: 64cccf16c1e4460897207d9d6db04ff0b1b887be7289987c4480f5a6b6a1d278
Opcode Fuzzy Hash: 03621a0a76241e5bc0a4407a3bf07df8cc18d4ebc3efc7de5842519082e22902
Instruction Fuzzy Hash: 0C81AE74E00209DFDB14DFA9DA80A9DBBB2FF88310F24C069D909AB315DB34A942DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2AD9 Relevance: 1.6, APIs: 1, Instructions: 95
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00FC2B88

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: afa785ea7db1f605d41b051a5e9bb012b2b3a881f6a3c4afc0526852ccc7b988
Instruction ID: 615f1342c8ad7d83a3a5023602beec8397134847e112c77b11c619d1575854a8
Opcode Fuzzy Hash: afa785ea7db1f605d41b051a5e9bb012b2b3a881f6a3c4afc0526852ccc7b988
Instruction Fuzzy Hash: 19419074E042498FDB58DFAAD994A9DFBF2BF88300F14C12AD818AB318DB345906DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC788 Relevance: .5, Instructions: 535
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fa61179ffd6bca3557000191e20a359f2c5d37635edd57a13dadb775121437
Instruction ID: 90c3b9c15ee471f46b08075f4ce8411f9443567671aaeb3d88f48a72d3dbf5bb
Opcode Fuzzy Hash: 93fa61179ffd6bca3557000191e20a359f2c5d37635edd57a13dadb775121437
Instruction Fuzzy Hash: 6F227F70A0060ADFC714DF69D955B9DBBF2FF89314F14896DD00A9B261CB38AC46EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FCAFD0 Relevance: .4, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dce663378fbf4b7dfc0581d923fdbc792e42222b8937a0e0f30a4bcab8d42ab
Instruction ID: 40ba4f55ff9a180d54ed226c3c0bdae30be440decdf6b800d1aff611c3b4512a
Opcode Fuzzy Hash: 6dce663378fbf4b7dfc0581d923fdbc792e42222b8937a0e0f30a4bcab8d42ab
Instruction Fuzzy Hash: 66F1D4B4D00229CFDB24CFA9C982BDDBBB1BF48310F1485AAD409B7294DB349A85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00FCBA9D Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6154cb397214b73b8d0c95c6963f1848969d950f5ff3261b1604ab084c30163
Instruction ID: aced7856e59b04a1a212fa774d0713d893330553398e224cfd4b1b964083d89c
Opcode Fuzzy Hash: e6154cb397214b73b8d0c95c6963f1848969d950f5ff3261b1604ab084c30163
Instruction Fuzzy Hash: 6241DBB4D042589FDB14CFAAD985AEEBFF5AF48310F24802AE418BB254D7349986CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00FCBAA8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e70106b0398917d5ee3ef0ad2449ace24870b65ea0349988b0e16b441f65566
Instruction ID: cf482e501fd3b3d962826f2c920728c9d51e23838b790fd657414663497e115e
Opcode Fuzzy Hash: 2e70106b0398917d5ee3ef0ad2449ace24870b65ea0349988b0e16b441f65566
Instruction Fuzzy Hash: 2141C9B4D002189FDB14CFAAD985ADEFBF5AF48310F24802AE418BB254D734A985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00FC0E48 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4cb6faa53d22b40a1096a070a787eaea557742428fce7a1e52bdda49794428
Instruction ID: 3ea0d57dd542aef0fb1aaf383510646a2f7cd8721730c136595ffc28987d08df
Opcode Fuzzy Hash: bb4cb6faa53d22b40a1096a070a787eaea557742428fce7a1e52bdda49794428
Instruction Fuzzy Hash: 794134B4D012589FDB50CFA8D598BDDBBF0BB08314F20412AE818BB394D7B99949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6374 Relevance: 1.6, APIs: 1, Instructions: 116
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 00FC6481

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7671dda9f6f9f9ac83b3c0b78df39759890a9e3bd94835a76f799514f462bb42
Instruction ID: 5cd331d27f7e7ed4b42f42f95b06566654411a1f417734d267892a8467785bda
Opcode Fuzzy Hash: 7671dda9f6f9f9ac83b3c0b78df39759890a9e3bd94835a76f799514f462bb42
Instruction Fuzzy Hash: 244100B4D042199FDB14CFA9D985BDDBBB2FB48314F14912AE814AB380D774A845DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3690 Relevance: 1.6, APIs: 1, Instructions: 113
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 00FC6481

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 56f317228e695fb358d2df66756d21b9f6e08ffbbd041e1a343299657a926aba
Instruction ID: 0877c4fed7abb43562806a33ff5a9e2ca7fd9ff05105a0eba9c36612ea722727
Opcode Fuzzy Hash: 56f317228e695fb358d2df66756d21b9f6e08ffbbd041e1a343299657a926aba
Instruction Fuzzy Hash: 364100B0D042199FDB18CFA9D985B9DBBF1FB48314F10912AE814EB341D7B8A845DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FCA1A0 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3594d0baf27e413c31ec6af3a04638e4776f2d7f49a5ccea8e334dd027285ae5
Instruction ID: 7f7011d69376ca1b552a4f86da61988f55c1c9d2dba6ca8234bab60b63547fb7
Opcode Fuzzy Hash: 3594d0baf27e413c31ec6af3a04638e4776f2d7f49a5ccea8e334dd027285ae5
Instruction Fuzzy Hash: 3C02BF70D0022DCBDB24CFA8C981BDDBBB1BF48314F1485AAD409B7294EB74AA85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00FC9C50 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6f62c6d74904c3f6b0a117519e3c334173551174c68450bbeb9ee2f7cc7b78
Instruction ID: 03515d8a8bc1b26b71c1728c54e69b080d789e91a564966a663fb21b66108b7a
Opcode Fuzzy Hash: 3a6f62c6d74904c3f6b0a117519e3c334173551174c68450bbeb9ee2f7cc7b78
Instruction Fuzzy Hash: CFE1E1B0D04219CFDB64CFA8C985BDDBBB1BF48314F1081AAD409B7290DB74AA85DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00FC652D Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf700afd625adebec569cad0bdc2ea12499c527e397aca56728273386043df1
Instruction ID: b5e408e51e5de53547e0a4c1cb44b7d5bc15bd40661f6ceffb9f0b5463778c0f
Opcode Fuzzy Hash: abf700afd625adebec569cad0bdc2ea12499c527e397aca56728273386043df1
Instruction Fuzzy Hash: E0410EB0D042099FDB10CFA9DA85BAEBBB1BF09310F24912EE814AB344D7749889DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00FC452C Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0c543d1e601f3ff4d435900b09eb8b166b7209cf3dcafeae9c9d44af531822
Instruction ID: b98259526f2f55494056bddac2ed0b1dddbda3ba8c7d3df6c08a00c7edb11ebc
Opcode Fuzzy Hash: ab0c543d1e601f3ff4d435900b09eb8b166b7209cf3dcafeae9c9d44af531822
Instruction Fuzzy Hash: C24100B4D042099FDB10CFA9DA85BADBBF1BB09310F24952EE814FB244D774A889DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC3BD Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214c1933638c5e900140fee0a5806733e8548dcc609180ef2762e75c17afcc9f
Instruction ID: 0cdea7ceed7a73c1993987be66447c7e8d3fb85fa5f578a0aeecd983673abb34
Opcode Fuzzy Hash: 214c1933638c5e900140fee0a5806733e8548dcc609180ef2762e75c17afcc9f
Instruction Fuzzy Hash: 3041CBB4D002189FDB14CFEAD690AEEBBF5AF49300F20902AE408BB254D734A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00FC08E0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69652dae16f6edf727d2f38c0f971ad6e6add131a7b1d6e0b4f34380636aff36
Instruction ID: 247e9e9eba235a5e985c33fd515a89c246b78fb5cf07e26628b61c5e428816a4
Opcode Fuzzy Hash: 69652dae16f6edf727d2f38c0f971ad6e6add131a7b1d6e0b4f34380636aff36
Instruction Fuzzy Hash: CE31DBB9D04258DFCB00CFA9D484AEEFBF0AB49310F24905AE454B7310D778A94ACF64

Uniqueness

Uniqueness Score: -1.00%

Function 00FC0189 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aed1eb552d8d4e89a3adb636c3406eeecba3d82de875bcb0bd0c2f619e0dab9
Instruction ID: aa1f875098abb848a9bb3461b601234d2a6aefc395e2af7ee8c2e0570465a962
Opcode Fuzzy Hash: 7aed1eb552d8d4e89a3adb636c3406eeecba3d82de875bcb0bd0c2f619e0dab9
Instruction Fuzzy Hash: 5531DDB5D04258DFCB00CFA9D584AEEFBF4AB09310F24906AE414B7310D778A989CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00FC018C Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07294c87e5b817f8824667a9e348755b51b6bdc35aead193ea35e1019c028ef0
Instruction ID: ef18231bcb3798c4e47fb0ed4b8ddd5192a7a70be0e606b181dab769576b6513
Opcode Fuzzy Hash: 07294c87e5b817f8824667a9e348755b51b6bdc35aead193ea35e1019c028ef0
Instruction Fuzzy Hash: 2531CDB5D04258DFCB00CFA9D584AEEFBF4AB49310F14906AE414B7310D778A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC3C8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.605777355.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb229d42c95e2192b544067af2518449788558dcf3bfa23d3f417c088630cf8
Instruction ID: ed87e587d033001eeed9c3b4b383fde6e11d1fc5090c44550b5edd5aee31cbf9
Opcode Fuzzy Hash: ebb229d42c95e2192b544067af2518449788558dcf3bfa23d3f417c088630cf8
Instruction Fuzzy Hash: 5D31BBB5D002189FDB14CFEADA80AEEFBF5AF49300F20902AE408BB254D734A945CF54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 01904399.dat.exePID: 7132, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	16.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	0

Executed Functions

Function 01472720 Relevance: 1.7, APIs: 1, Instructions: 192
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 014727C0

Memory Dump Source

Source File: 00000003.00000002.656724338.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1470000_01904399.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3727b0396a2e3d344e2d9b1df3df87250be6a7cc8a9c683b720f703fb90a991
Instruction ID: 33b273416cc796869a81b391c36f4f6e508b98509911eba19bc07c55f588c137
Opcode Fuzzy Hash: f3727b0396a2e3d344e2d9b1df3df87250be6a7cc8a9c683b720f703fb90a991
Instruction Fuzzy Hash: CA81B274E00219DFDB14DFAAD980A9DFBB2BF88700F14C16AD948AB315DB309842CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0147270F Relevance: 1.6, APIs: 1, Instructions: 101
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 014727C0

Memory Dump Source

Source File: 00000003.00000002.656724338.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1470000_01904399.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c53e24c6ad2b6cb25469a27fb4899cd77cdf1588bc7dac24010cf2fdf214c9d
Instruction ID: a8b7fe20e76b063319741e9cff58568f0396b473637e42ce4b1c3d3248ec79b8
Opcode Fuzzy Hash: 8c53e24c6ad2b6cb25469a27fb4899cd77cdf1588bc7dac24010cf2fdf214c9d
Instruction Fuzzy Hash: C2419374E016089FDB18DFAAD98499DFBF6BF88300F14C12AD918AB328DB345946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 014732E0 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 01475D71

Memory Dump Source

Source File: 00000003.00000002.656724338.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1470000_01904399.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0e35687e8e703becf9b137b2329a4479a7e7191c3291f1d27119c060b76ef7b8
Instruction ID: d0df9053027bc97a961b35be1c796301f699b95476356d7ec27b09bd3728ee55
Opcode Fuzzy Hash: 0e35687e8e703becf9b137b2329a4479a7e7191c3291f1d27119c060b76ef7b8
Instruction Fuzzy Hash: C05146B0E006089FDB24CFA9D944BDEBBF1FB99310F14852AD405AB360DBB49846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01475C64 Relevance: 1.6, APIs: 1, Instructions: 114
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 01475D71

Memory Dump Source

Source File: 00000003.00000002.656724338.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1470000_01904399.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1e0acaf5a0090409ff688268dbbcbebb3d7a3bb6198e5ce64f63c53470b878ac
Instruction ID: 312f5b3ca8e4ea6bc9aeec6dbe11de2a2f208d3922c188fc81b28c88d4664719
Opcode Fuzzy Hash: 1e0acaf5a0090409ff688268dbbcbebb3d7a3bb6198e5ce64f63c53470b878ac
Instruction Fuzzy Hash: 0641F3B4D002589FDB14CFA9D988BDEBBF1FB49314F20912AE814AB350D7B49846CF54

Uniqueness

Uniqueness Score: -1.00%

Function 014732C4 Relevance: 1.6, APIs: 1, Instructions: 113
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 01475D71

Memory Dump Source

Source File: 00000003.00000002.656724338.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1470000_01904399.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 074447899468b923320af7e8fdc1e0936306be934eb1846b1ca8af7d2fdd21a6
Instruction ID: c8641f0c57e50b81272685658e720d9c7dee3c5ea842b53afa8f5f1cbae02cd2
Opcode Fuzzy Hash: 074447899468b923320af7e8fdc1e0936306be934eb1846b1ca8af7d2fdd21a6
Instruction Fuzzy Hash: AD41F4B4D002189FDB14CFA9D988BDEBBF1FB59314F10912AE814AB350D7B4A846CF84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 01904399.dat.exePID: 4676, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	0

Executed Functions

Function 00F5208B Relevance: 1.8, APIs: 1, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F5208B

Memory Dump Source

Source File: 00000004.00000002.719214290.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_01904399.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b4ee1e29e05f1356294216f6de1f7bbe9f843cfd8828e36ec49b226c2feadcbb
Instruction ID: ba7aba2ab068174a2976d39c202624e098c528a250c2e7f0f04df7587c06308d
Opcode Fuzzy Hash: b4ee1e29e05f1356294216f6de1f7bbe9f843cfd8828e36ec49b226c2feadcbb
Instruction Fuzzy Hash: 0DD1AD74E01259CFDB60DFA8C884B9DFBB2BB49300F1481AAD909A7351DB30AD85DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00F52560 Relevance: 1.7, APIs: 1, Instructions: 192
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F52600

Memory Dump Source

Source File: 00000004.00000002.719214290.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_01904399.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76aa4a3888ebf6a632567af7dd8a9fde89d406b3148f5bb71f06d864f8f6e74d
Instruction ID: 6110c68944ca60cf09aff10474cf5e113e6443161666befd5dfbf35f9d38ceee
Opcode Fuzzy Hash: 76aa4a3888ebf6a632567af7dd8a9fde89d406b3148f5bb71f06d864f8f6e74d
Instruction Fuzzy Hash: CE819B74E01209CFDB14DFAAD984A9DFBB2FF89300F248169D908AB315DB30A946DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00F5254F Relevance: 1.6, APIs: 1, Instructions: 99
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F52600

Memory Dump Source

Source File: 00000004.00000002.719214290.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_01904399.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71286c521d5c21bdb736b943922f731fe6223b9efd4cc92288a224779932ddba
Instruction ID: 7449495c30b997d1d9f9f053ad44dbe59d874726890c11035f0af1d96f3597c7
Opcode Fuzzy Hash: 71286c521d5c21bdb736b943922f731fe6223b9efd4cc92288a224779932ddba
Instruction Fuzzy Hash: 794180B5E012088FDB08DFAAD84459DFBF2BF88300F14C16AD918AB368DB745946DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F55C64 Relevance: 1.6, APIs: 1, Instructions: 115
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 00F55D71

Memory Dump Source

Source File: 00000004.00000002.719214290.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_01904399.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1b9bbe3fcb8a6820d81412500f8096475c86c6c2d74c728ec04c7cbe24deae21
Instruction ID: eff517930cc8478cf81b43bc07bfe88234550f86a31f209efec2394f65711e13
Opcode Fuzzy Hash: 1b9bbe3fcb8a6820d81412500f8096475c86c6c2d74c728ec04c7cbe24deae21
Instruction Fuzzy Hash: BE4122B5D046588FDB10CFA9C898BDDBBF1FB48711F20912AE814AB390D7B4984ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 00F532C4 Relevance: 1.6, APIs: 1, Instructions: 113
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 00F55D71

Memory Dump Source

Source File: 00000004.00000002.719214290.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f50000_01904399.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f3f20a4dd6c08319b6db937f02d4c114ab4f6fa59218a8e6cb9602fbd7d2525f
Instruction ID: 416d008a4438ead39bb2140d892fd1acffbb3f5a10c16e13c065daad2199dd77
Opcode Fuzzy Hash: f3f20a4dd6c08319b6db937f02d4c114ab4f6fa59218a8e6cb9602fbd7d2525f
Instruction Fuzzy Hash: 664113B5D046589FDB14CFA9C898B9DBBF1FB48711F209129E814AB380D7B4984ADF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 01904399.dat.exePID: 676, Parent PID: 3528COMMON

Executed Functions

Function 02FD208B Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba06e90f88933d9ff903dc24f14bc69844682df94769138371d20d4356def188
Instruction ID: 09ce4d528fa94b1202df1708281416f6e1e98595e11bc1d00dd9bdc57e9115dc
Opcode Fuzzy Hash: ba06e90f88933d9ff903dc24f14bc69844682df94769138371d20d4356def188
Instruction Fuzzy Hash: 49D19B74E01259CFDB60DFA8C894B9DFBB2BB49300F1580AAD909AB351DB30AD85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02FD2560 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d897ace190fbcda923d5468df5f0420d4cafb356ccfed24167eb8cffa0f07ce
Instruction ID: 2dbfd08b5c208e92b8a4b40147b8d629bf2d6d6eae20dae816d659ad6ed8be98
Opcode Fuzzy Hash: 0d897ace190fbcda923d5468df5f0420d4cafb356ccfed24167eb8cffa0f07ce
Instruction Fuzzy Hash: 4D819C74E00209DFDB24DFAAD984A9DFBB2BF88300F24C069D919AB355DB349946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02FD254F Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd017c2eda0dc27ace67b5e9bb73e1999d23d6bd0d4cb9971d6016d3da74207
Instruction ID: 78f5aa298f846c77ce6b34012dc518a844708f84e63ddb51bb81cdf29cf3b8dc
Opcode Fuzzy Hash: 5bd017c2eda0dc27ace67b5e9bb73e1999d23d6bd0d4cb9971d6016d3da74207
Instruction Fuzzy Hash: 61415E75E012098FDB58DFAAD95499DFBF2BF88300F14C16AD918AB318DB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FD1C05 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21ecf84bf8951e5a055d08c5b39577a7507c524f9d07fe5dddb03dcab1f21e6
Instruction ID: b7c395096fe16cd971ba44fc5e46ad5c849c81d843a8c738faa072f89f640346
Opcode Fuzzy Hash: c21ecf84bf8951e5a055d08c5b39577a7507c524f9d07fe5dddb03dcab1f21e6
Instruction Fuzzy Hash: 4BB10674E05229CFDBA4CF68C980B9DBBF1BB09300F1491AAD95DA7341E730AA85DF10

Uniqueness

Uniqueness Score: -1.00%

Function 02FD04A0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b82f4683c5972773f430c93ca0e71220af897bf7bf650b88462da2cee379120
Instruction ID: 20c124d8748932e91292affe1b07d8fa04b8029b776592e1a8e602bd508a6c6a
Opcode Fuzzy Hash: 2b82f4683c5972773f430c93ca0e71220af897bf7bf650b88462da2cee379120
Instruction Fuzzy Hash: B181CF70E01209DFCB58DFA9D454AAEBBB2BF88700F24852DD419BB364DB31AC46CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02FD04B0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4bf168d021eb89505f1fe82cd051e00776b206ad92ce78ee825866f73d3bdf
Instruction ID: 9fd5e6c81a8277c4e501d3ea032ee671d169323e2f7f989b733ea6e95c01c89e
Opcode Fuzzy Hash: 9f4bf168d021eb89505f1fe82cd051e00776b206ad92ce78ee825866f73d3bdf
Instruction Fuzzy Hash: E181CF70E01209DFCB58DFA9D454A9EBBB2BF88700F20802DD419BB364EB31AC46CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02FD11E9 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8137574490621da938a249fd5b8e2f7c483dcedabeb87dd7232374a2b7b73202
Instruction ID: f9bafbb6722fc6ed26f036112ca50f3acacbb07d78acfd4a88a20d0010fc273a
Opcode Fuzzy Hash: 8137574490621da938a249fd5b8e2f7c483dcedabeb87dd7232374a2b7b73202
Instruction Fuzzy Hash: 51A16CB4E01218CFDB64DFA9D994B9DBBF1BF49304F2081AAE408AB351D775A985CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02FD11F8 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d57832f8987e3d943ff1547d04eae825b21d88f403dc157aaf700d3b5adac38
Instruction ID: 7e6b9b1ffc315ba651f107d99687570f46b78ee7ade353bd7331a050d87f1f08
Opcode Fuzzy Hash: 7d57832f8987e3d943ff1547d04eae825b21d88f403dc157aaf700d3b5adac38
Instruction Fuzzy Hash: 4AA15BB4E01218CFDB64DFA9D994B9DBBF1BF49304F2081A9E408AB351DB75A985CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02FD1639 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab14f49d7b68b2361e1d84fbbe5deb7f93e2caf4db20c2ade414f9f450c200b
Instruction ID: 3929e1c21ba1a0f5a936742df933cec1da2a874e0f3b44ec7898eb7d78ef17c5
Opcode Fuzzy Hash: 7ab14f49d7b68b2361e1d84fbbe5deb7f93e2caf4db20c2ade414f9f450c200b
Instruction Fuzzy Hash: B76177B4E012188FDB50CFA8D598BDDBBF1FB48314F24816AE818AB351DB759989CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FD18D9 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a336568cbcd0673d9f47fc8db109bae0bcb6b938ae0b6a36ea4442837cb787b
Instruction ID: 5f8ce59a816155a02abeec2ad799879a2985ab468b3bd8265ad88e254f23d910
Opcode Fuzzy Hash: 8a336568cbcd0673d9f47fc8db109bae0bcb6b938ae0b6a36ea4442837cb787b
Instruction Fuzzy Hash: 7A816FB0901268CFEB64DF65C9687DEBBB1BF44308F1481D9C50C6B291DB7A5A89CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02FD1648 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790ff55a4d68e0e8786062527630e4691002a8e6104a15e5a7b323b4140f24fa
Instruction ID: de129f026cf40f59ac34a604346c34c800804252b2c42bc168cca76b1e8bff95
Opcode Fuzzy Hash: 790ff55a4d68e0e8786062527630e4691002a8e6104a15e5a7b323b4140f24fa
Instruction Fuzzy Hash: 9F6176B4E01218CFDB50DFA9D598B8DBBF1BB08304F24816AE418AB351DB759989CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FD18E8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5301b9e97f97fabc856ae814402b8139b4f5f9681de44010e580a321ff1896
Instruction ID: a9000c3a367c0fd87382b75613f89f97566ca390590e6ed0084f257d762beaa5
Opcode Fuzzy Hash: 9e5301b9e97f97fabc856ae814402b8139b4f5f9681de44010e580a321ff1896
Instruction Fuzzy Hash: F8714FB0901269CFEB64DF65C96879EBBB1BF45308F1481D9C10C6B291DB7A5A89CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02FD331D Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8ae5a36ebb4b5166533f18725ede5952d3dc91977f7cd279371632628d708c
Instruction ID: 6208a0e1d56a9063be79f370315867bb285f914f6f7601b1f136e0c59386e74f
Opcode Fuzzy Hash: 0c8ae5a36ebb4b5166533f18725ede5952d3dc91977f7cd279371632628d708c
Instruction Fuzzy Hash: 94418231E002098FEB14CF99DA547AEBBB2FF85354F1880A9C605B7351DB78A905CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0FB8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec38ae137750df6b121ed40b1ca3441319ff0c48e52391ab62c6bdd5cf9c5b1a
Instruction ID: e57b931942bab7791b5c4ca43297d7e01c6d78e12bedca914bea1780d7ae37c2
Opcode Fuzzy Hash: ec38ae137750df6b121ed40b1ca3441319ff0c48e52391ab62c6bdd5cf9c5b1a
Instruction Fuzzy Hash: B4419275E012089FDB14DFAAD98499EFBF2BF88310F15D169D918AB315DB309846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FD31D8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29813903a412597fb03ad7a1a1fbbf6d87887b40280980a9c83a4c5a1f1b9c7
Instruction ID: e0c8a6a699b99730f3904ad39ebb5d9ec145314b4b50e5c5c57c1a6d00667064
Opcode Fuzzy Hash: f29813903a412597fb03ad7a1a1fbbf6d87887b40280980a9c83a4c5a1f1b9c7
Instruction Fuzzy Hash: 9831FE30B001458FDB28DBB9D4146AE7BE2FF88304F1484A9D612AB394CF749C05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0C21 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34929618014502c0707223b6a53101064487246eddebd2aabb7d94808963e40
Instruction ID: ba42710bd3a9a7ecb91839b08d3fec840a5c9af7c035a6616b2a4778caf82f3c
Opcode Fuzzy Hash: c34929618014502c0707223b6a53101064487246eddebd2aabb7d94808963e40
Instruction Fuzzy Hash: 9741F530D01249DFCB04DFA8D094A9EFBB2FF45304F1985A9D514AB351DB35AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0A99 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592b0a50ee2a98e15927bc8c13cdefd8b2182c40be4352c2d670fbe962023462
Instruction ID: 99a162b82437833598a189f768e301414aa268551f8b33343a319674bb1577dd
Opcode Fuzzy Hash: 592b0a50ee2a98e15927bc8c13cdefd8b2182c40be4352c2d670fbe962023462
Instruction Fuzzy Hash: 3031E770A0124ACFCB44DFA8D484AEEBBB2FF49304F15896AE514AB261D7349D45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02FD152F Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7ee264817ebf698418cd2791732ac1647ca19532b276641e40ccb1d4515d18
Instruction ID: 8c28836d39961400998138117d5ba9aefbc57eaeec6bb2a6bb832e5dcb21d102
Opcode Fuzzy Hash: 8d7ee264817ebf698418cd2791732ac1647ca19532b276641e40ccb1d4515d18
Instruction Fuzzy Hash: E631AE74E01208DFCB44DFA8D588AADBBF2EF89310F1451AAE905AB360DB35AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0C30 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811dc073f27543d28af70983e57af44e940e7ed9faae3a465c8feaad6f0bf96f
Instruction ID: 6386b676f30e0decc46cd8c5d79330f43fdaff87a732a3490d265054f1c9e4bc
Opcode Fuzzy Hash: 811dc073f27543d28af70983e57af44e940e7ed9faae3a465c8feaad6f0bf96f
Instruction Fuzzy Hash: 1531C270E0120ADFCB04DFA8D494A9EFBB2FF88305F258569D514AB350DB79AD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FD1E5C Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4d7123a97bb62fcbcf863ea18190bacb464d392eef8bed641ab26682ea8aaf
Instruction ID: 56b517ea8ae5bf2b084f13ea6dd77917cfbe841ba2713b1ca0670632d64e0afb
Opcode Fuzzy Hash: df4d7123a97bb62fcbcf863ea18190bacb464d392eef8bed641ab26682ea8aaf
Instruction Fuzzy Hash: D8414C74E05228CFCB64CFA8D584AECFBF1BB09300F1491A6E819A7344E774AA85DF54

Uniqueness

Uniqueness Score: -1.00%

Function 02FD281B Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df71075d9cf981a10d31514d46f1b7ccd5390574b538e60d7b874a1c27917d2e
Instruction ID: b898c56f216b34765bd43de3d16d4ca7db16e6981eed94b1e119501a806857c1
Opcode Fuzzy Hash: df71075d9cf981a10d31514d46f1b7ccd5390574b538e60d7b874a1c27917d2e
Instruction Fuzzy Hash: 0D31C274E01208DFCB08DFA9D950AADBBB2FF88300F148169E915A7350DB35A942CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02FD3698 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1972d811ddbcfd2c0d09b783268bf9bf6b4caf9532b3be9e8783df99949a904c
Instruction ID: 5a876af810d94e6a3506b26d6881e9099fea7d97ce51299c6c891d7ada70aada
Opcode Fuzzy Hash: 1972d811ddbcfd2c0d09b783268bf9bf6b4caf9532b3be9e8783df99949a904c
Instruction Fuzzy Hash: 7E3199B9D012189FCB10CFAAD584ADEFBF5BB09314F24906AE918B7310D374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02FD36A0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08990ee91186350bb5f280947f7a4fc85aff22b5fce28e8adbf63322896e7d97
Instruction ID: 43fcc6f5f43e0a159b94313753eb279547fa81db821f051593f98f1ace4c7517
Opcode Fuzzy Hash: 08990ee91186350bb5f280947f7a4fc85aff22b5fce28e8adbf63322896e7d97
Instruction Fuzzy Hash: C63198B9D012189FCB10CFAAD984ADEFBF5BB09314F14906AE918B7300D374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02FD1C36 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9007dff2f14e57906f0f92cb370225f82242b68d396841b991aab1d14229e84a
Instruction ID: 49b2cb60d12ca26b1dd3020422c9c961336b64f2b3bb213b9cbbdc3b9524f9e7
Opcode Fuzzy Hash: 9007dff2f14e57906f0f92cb370225f82242b68d396841b991aab1d14229e84a
Instruction Fuzzy Hash: E23138B8E05218CFCB54CFA9D580ADDBBF2BB09300F14916AE919E7344E334AA85DF54

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0D58 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22620706b84c97036426fd85f4caeba79aaaf4dc728b86bc29b10230e1449f1f
Instruction ID: 8b2eee130ef53c59180c73d572831d59609ffb79c1b7f8e60afc215d4b5aac91
Opcode Fuzzy Hash: 22620706b84c97036426fd85f4caeba79aaaf4dc728b86bc29b10230e1449f1f
Instruction Fuzzy Hash: 4F311470D0024ACFCB14DFA8D448AEEBBB1FF49301F1581AAD525AB250DB359985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0D68 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e20b4894bc930e68f620e418b8de14aa09a7078f7bb11a3f5b2a214ba39dbc
Instruction ID: e839be62e89fffb847307641a9d54142fe34a49d3dc81f34b7ffbdfa3e1639f8
Opcode Fuzzy Hash: a7e20b4894bc930e68f620e418b8de14aa09a7078f7bb11a3f5b2a214ba39dbc
Instruction Fuzzy Hash: 1221E270D0020ADFCB14DFA9D448AAEFBB2FF48301F15816AD525AB350DB35A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02FD1120 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6b9df52b0183d3659c86e3cfd4b257891a718384d45a10cc60822c2ec92873
Instruction ID: 492033abe06b9369043dd6256cf9d5951cf7be4bfb701e7447587a0c0e565c7a
Opcode Fuzzy Hash: ec6b9df52b0183d3659c86e3cfd4b257891a718384d45a10cc60822c2ec92873
Instruction Fuzzy Hash: D0211735A02208DBDB15DFA9E444AEDB7B6FB89310F14906AD804AB364D7359D44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02FD07E9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4699948ea317052515ed8b40ed4f79ff45e4721e63cc1e2732e3cda286b5044
Instruction ID: bf5eae0363cc75c736497dd7e00007ade52227f6252aea4491791ff5be88aa87
Opcode Fuzzy Hash: e4699948ea317052515ed8b40ed4f79ff45e4721e63cc1e2732e3cda286b5044
Instruction Fuzzy Hash: 26014C34945348DFCB10DFA8D0449CCBFB0EF45304F04C6EAD844AB256D3749A89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02FD3180 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac9121202c7a41ee20348941447103206c2d2d8b201045d5804dac9c11f0dab
Instruction ID: 616a52458c3aa497b8a384d5f478cef3ed43dedcb976307a302933388b66a43f
Opcode Fuzzy Hash: 6ac9121202c7a41ee20348941447103206c2d2d8b201045d5804dac9c11f0dab
Instruction Fuzzy Hash: 07F02432F002581BCB2812BDA8142AD77D7EBC9265B0448BAD71ACB390DE32C8094791

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0869 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d693aa86269aea6633b9127aaa2ec512756e774da5bb0cdc7a325586f7f980eb
Instruction ID: 67455a9b5f42bb703ceb82e2d64b8eeaa24397f2072dc25d66373a2aac7a5983
Opcode Fuzzy Hash: d693aa86269aea6633b9127aaa2ec512756e774da5bb0cdc7a325586f7f980eb
Instruction Fuzzy Hash: 3C010070C49348EFCB01EFA8D4106EEBFB1AF06311F1485AED449A7241EB744A04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02FD3130 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5405f829eb92010f0272574f3a2927f95de46f05240f9a10192814daa27f863b
Instruction ID: 938648f6c59dcf705cf4e29995dfff9f52d44422dabab7c933f087191a4781df
Opcode Fuzzy Hash: 5405f829eb92010f0272574f3a2927f95de46f05240f9a10192814daa27f863b
Instruction Fuzzy Hash: E1F05E31A00B155BD7349F5F9880917FAEBFFC8654708C93ED20987221DBB098098BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0878 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1d21e5f1a92350c85a64e82ea02e4f8a557143319ce248dab680fe99ae5f9a
Instruction ID: 2692d82c646dd85677d67f7c2d14d4c160a6aa27c1330c8c958347a711424262
Opcode Fuzzy Hash: 3a1d21e5f1a92350c85a64e82ea02e4f8a557143319ce248dab680fe99ae5f9a
Instruction Fuzzy Hash: 06F0EDB4C05208EFCB00EFB8E5446AEBBF1BF09301F6086AA8414B7240EB745B44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02FD31CB Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621b00fad288acdf917899cfc4d35c632683c2b441b92d3ac0d51917f49a2b41
Instruction ID: 7b2c9d014076de9b990b019c461e74d59190e9c7d6bf061d3fea42450e2f3758
Opcode Fuzzy Hash: 621b00fad288acdf917899cfc4d35c632683c2b441b92d3ac0d51917f49a2b41
Instruction Fuzzy Hash: AEE02033F0024867DF381576EC4639ABBADD788151F044C7EDA11D7341DA31E41487E1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD14F8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58224ce42f8d6022cbb77f4c508a30df3d489eee091736c953ba5883ed24c32e
Instruction ID: c68923f8ff86e5deb1aedca49c1d245f4642d25e9c71643e1969745befde43ea
Opcode Fuzzy Hash: 58224ce42f8d6022cbb77f4c508a30df3d489eee091736c953ba5883ed24c32e
Instruction Fuzzy Hash: 70E08C71C56304DFCB618AB4E81AAE97FB4EB53220F0501EAD408D3211D3390A05DB11

Uniqueness

Uniqueness Score: -1.00%

Function 02FD1508 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3606d02f602f79ec3a3fde4d664bad7ebc973f1d240db0ab4573b998341c9d
Instruction ID: d99b37d85895937c02bbf1eeef095ea1639710539a77d48c356c5c44f2eef698
Opcode Fuzzy Hash: ed3606d02f602f79ec3a3fde4d664bad7ebc973f1d240db0ab4573b998341c9d
Instruction Fuzzy Hash: F7D02230C02208DFCB20EFA4E40CB2EBB38F702301F0001A8D40863304DB300900DB94

Uniqueness

Uniqueness Score: -1.00%

Function 02FD1F74 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.652431398.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fd0000_01904399.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbfc00d7224314b8f145472ecfc6b1d19760095ed2d023bf2bd2f69db8bff33e
Instruction ID: 54720a6ca01de22df6a422404374f7ad1733d1ad3a9004f5392df0b4b18662ab
Opcode Fuzzy Hash: fbfc00d7224314b8f145472ecfc6b1d19760095ed2d023bf2bd2f69db8bff33e
Instruction Fuzzy Hash: E5C092A1E5E54586CB186F6482615FA957BDBA7780F043895460E731808A34C600A85E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 01904399.dat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Bitcoin Miner

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
01904399.dat.exe

Function 00FC2613 Relevance: 1.8, APIs: 1, Instructions: 269
COMMON

Function 00FC2AE8 Relevance: 1.7, APIs: 1, Instructions: 192
libraryCOMMON

Function 00FC2AD9 Relevance: 1.6, APIs: 1, Instructions: 95
libraryCOMMON

Function 00FCC788 Relevance: .5, Instructions: 535
COMMON

Function 00FCAFD0 Relevance: .4, Instructions: 387
COMMON

Function 00FC6374 Relevance: 1.6, APIs: 1, Instructions: 116
libraryCOMMON

Function 00FC3690 Relevance: 1.6, APIs: 1, Instructions: 113
libraryCOMMON

Function 01472720 Relevance: 1.7, APIs: 1, Instructions: 192
libraryCOMMON

Function 0147270F Relevance: 1.6, APIs: 1, Instructions: 101
libraryCOMMON