Manalyze report for a198b777e1edc475091c9fb0d4ecc530

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2020-Jul-27 03:03:23
Detected languages	English - United States
TLS Callbacks	1 callback(s) detected.
OriginalFilename	xmrig.exe

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for VMWare presence: vmtools` `Contains references to mining pools: stratum+tcp://` `Contains domain names: donate.ssl.xmrig.com donate.v2.xmrig.com https://xmrig.com nicehash.com ssl.xmrig.com v2.xmrig.com xmrig.com`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES` `Uses constants related to Blowfish` `Uses known Diffie-Helman primes` `Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: _TEXT_ad` `Unusual section name found: _RANDOMX` `Unusual section name found: _SHA3_25` `Unusual section name found: _TEXT_CN` `Unusual section name found: _TEXT_CN`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryW LoadLibraryExW` `Functions which can be used for anti-debugging purposes: SwitchToThread NtQuerySystemInformation` `Can access the registry: RegCreateKeyA RegSetValueA RegQueryValueExA RegSetValueExA RegOpenKeyExA` `Uses Microsoft's cryptographic API: CryptAcquireContextA CryptGenRandom CryptEnumProvidersW CryptSignHashW CryptDestroyHash CryptCreateHash CryptDecrypt CryptExportKey CryptGetUserKey CryptGetProvParam CryptSetHashParam CryptDestroyKey CryptReleaseContext CryptAcquireContextW` `Can create temporary files: CreateFileW CreateFileA GetTempPathW` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Has Internet access capabilities: URLDownloadToFileA` `Leverages the raw socket API to access the Internet: #111 #19 #16 #112 #15 WSASend #10 #18 WSARecvFrom WSAIoctl #9 #22 WSASocketW #5 WSARecv FreeAddrInfoW GetAddrInfoW #57 #8 #23 #21 #13 #3 #2 #116 #115 #7 #6` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Interacts with services: CreateServiceW QueryServiceStatus OpenSCManagerW QueryServiceConfigA DeleteService ControlService OpenServiceW` `Enumerates local disk drives: GetDriveTypeW` `Interacts with the certificate store: CertOpenStore`
Malicious	VirusTotal score: 23/71 (Scanned on 2020-08-01 02:46:57)	`MicroWorld-eScan: Gen:Variant.Razy.704958` `ESET-NOD32: a variant of Win64/CoinMiner.QG potentially unwanted` `APEX: Malicious` `ClamAV: Win.Coinminer.Generic-7151250-0` `Kaspersky: not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen` `BitDefender: Gen:Variant.Razy.704958` `Ad-Aware: Gen:Variant.Razy.704958` `Sophos: XMRig Miner (PUA)` `Invincea: heuristic` `FireEye: Generic.mg.a198b777e1edc475` `Emsisoft: Gen:Variant.Razy.704958 (B)` `SentinelOne: DFI - Suspicious PE` `Endgame: malicious (high confidence)` `Arcabit: Trojan.Razy.DAC1BE` `ZoneAlarm: not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen` `GData: Gen:Variant.Razy.704958` `AhnLab-V3: Win-Trojan/Miner3.Exp` `ALYac: Gen:Variant.Razy.704958` `MAX: malware (ai score=81)` `Rising: HackTool.CoinMiner!1.B971 (CLASSIC)` `Ikarus: PUA.CoinMiner` `Cybereason: malicious.c09ad5` `Qihoo-360: Win32/Virus.RiskTool.435`

Hashes

MD5	`a198b777e1edc475091c9fb0d4ecc530`
SHA1	`4aef070c09ad5051dd1020bc3367fff3e6b8f2c8`
SHA256	`527dd3087575373c9c2843dd001daf6ed71d440f0f17703880f4a9b9b253c427`
SHA3	`add9fc1fb9b4411edb3624237fbbb3a8e20e3c5bfc97f3e8e57433c30363ed02`
SSDeep	`98304:UNdlxxZQOViIsP12huuM61naf13xuBm2+b:UNdlK12huuM61nk134Qlb`
Imports Hash	`1d55f3512860814d73a9004d976e8a82`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x120`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`11`
TimeDateStamp	2020-Jul-27 03:03:23
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2ed600`
SizeOfInitializedData	`0x4a1400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000029DDE4 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x795000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`7b04651b843a1a59a67037e317f8e035`
SHA1	`60d60f98fb2e5c0d9fd206b70816e6e4e8373b76`
SHA256	`9f8752fdd01f71a2b007d2d6254f2f18307e6eb7c50deb6772edc0b4eb657dd0`
SHA3	`48838c94af76d8c205b921c15970c55361a0b005fffbe0ceed25a1fa1986f91c`
VirtualSize	`0x2ed420`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2ed600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.50391`

.rdata

MD5	`ecf61421fb1037ed2b832e09a1a58080`
SHA1	`059c6aa4c87f24e50fef89c1109610fb54d6b27c`
SHA256	`8e925cc2ed2ffa2303d084903b0db93c0c01b92910e226328897fe86ec8cf437`
SHA3	`d2fb9d27750674274a7dc3be6fec52d0a8e304e99d348c1378555d4101de5721`
VirtualSize	`0x1346bc`
VirtualAddress	`0x2ef000`
SizeOfRawData	`0x134800`
PointerToRawData	`0x2eda00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.90846`

.data

MD5	`36bc1caaa650a8facdbb90e17fccd002`
SHA1	`34bdb674d563f5bd3f58a50c41c9d88d0467a978`
SHA256	`a8bb561f454615fada46b159d4a0ec0a0d8976d6cb2794a80893b4f86a5a2bd2`
SHA3	`ae11128aaa8f1f63c7a46621e8ae3eefe8d44892c5fea612a948ec2f40c1b386`
VirtualSize	`0x333da0`
VirtualAddress	`0x424000`
SizeOfRawData	`0x12200`
PointerToRawData	`0x422200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.97091`

.pdata

MD5	`73ff48ddc5ccf1b4cf9e11bb39729f3e`
SHA1	`ff069044025667d0de5ab4447c85ccb2481c85ef`
SHA256	`01d4cae0b59d40b572e5ddea4126b9d552c40e1f477073f120d1ce5e1d002ffa`
SHA3	`c24c425524ee30649b3aa7e6c83fce0ca78da47638012c7bb232353dd439a98d`
VirtualSize	`0x1ef3c`
VirtualAddress	`0x758000`
SizeOfRawData	`0x1f000`
PointerToRawData	`0x434400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.29379`

_TEXT_ad

MD5	`4667155b067cd73d2bce93370909a00c`
SHA1	`876977179e2432dd092d433e720c5644cf4b4efb`
SHA256	`f15a5b6ff92b1e600b5c472e4bffa1032ece0e5e3aed2146b934b0eb62fea296`
SHA3	`2bf4d3282681ac60ba372aeaee59247ffb56f4d63187f88d2ed2d2d9a5493b64`
VirtualSize	`0x7`
VirtualAddress	`0x777000`
SizeOfRawData	`0x200`
PointerToRawData	`0x453400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`0.0611629`

_RANDOMX

MD5	`b182bf6976fc56dcc30743b1e5cbdaae`
SHA1	`e2c8b45a787b045df40500ebdf6ee547a5f7b889`
SHA256	`a4b0f5a526f50645ed35b54605f84546829c014dd61d948279dfc9a8510342a5`
SHA3	`14f9f11d271d5c82b7eab95e6dd20f5602983ac54eecf5120f6834191aa3d044`
VirtualSize	`0x656`
VirtualAddress	`0x778000`
SizeOfRawData	`0x800`
PointerToRawData	`0x453600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.18245`

_SHA3_25

MD5	`c14f9aad5e95192cd7523ba6675549fd`
SHA1	`1e0ed87b288785d031216f9fef8a038f36a823a3`
SHA256	`14475aa8e267606c3afb755028927daf9be4fa79973b697cde8e21f58daa6e83`
SHA3	`b1b3a5331b9a021a8793cb08d7282927880f6e8bde2e9553515265539504ff7f`
VirtualSize	`0x940`
VirtualAddress	`0x779000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x453e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.58316`

_TEXT_CN

MD5	`6a7f77e47f77f65bef85036ae5a71106`
SHA1	`317201314b5f3e12f88eacef2a87bc8dad03a6ed`
SHA256	`7682a937b3193b26b97f1f56a631fdee93289b69ecfefc926a95ebd8b8a38732`
SHA3	`a6e8b6125874204173800836305d18a11d4f0461c9059d7897081fd324592a8a`
VirtualSize	`0x18ce`
VirtualAddress	`0x77a000`
SizeOfRawData	`0x1a00`
PointerToRawData	`0x454800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.00097`

_TEXT_CN (#2)

MD5	`409bf3f918f2402291cb56c2e9354b47`
SHA1	`4992a8b9c3e33a7f8659bd20066f907134f7c337`
SHA256	`97edf367117028c754aed0c10748bfa55d73a87af588af16d5b24610e1652b08`
SHA3	`a8379e211aa90421ff01b9567092fde1be282d339ea986b42067baed4539be96`
VirtualSize	`0x1184`
VirtualAddress	`0x77c000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x456200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.04792`

.rsrc

MD5	`d9efeb941a667e647eb293eef37e2266`
SHA1	`156c7b4d51762cc90852ab6ce3439d446dc0e1f4`
SHA256	`d323e1214d83c83f99de9084673e77d51eed5e891226fe4ace799fc2d7589805`
SHA3	`8bb3fdec37432950cca10b60108ef7d28c808b3e38712531eeac12e7e9a3cb46`
VirtualSize	`0xd6d8`
VirtualAddress	`0x77e000`
SizeOfRawData	`0xd800`
PointerToRawData	`0x457400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.73577`

.reloc

MD5	`997a40d4b51f05627f8ef6678536d6e6`
SHA1	`cd82c00c686bc2efb563345d5f00c74932592057`
SHA256	`d07ec8abaec234b22ab66422cfeaba8545a962f41afcfd6bf830df9b574a0a1b`
SHA3	`c7dc89a32c17dfa08991c470885528525f5c0bf2f9daf92bd967d0fd5458b56a`
VirtualSize	`0x8558`
VirtualAddress	`0x78c000`
SizeOfRawData	`0x8600`
PointerToRawData	`0x464c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.45254`

Imports

WS2_32.dll	`#111` `#19` `#16` `#112` `#15` `WSASend` `#10` `#18` `WSARecvFrom` `WSAIoctl` `#9` `#22` `WSASocketW` `#5` `WSARecv` `FreeAddrInfoW` `GetAddrInfoW` `#57` `#8` `#23` `#21` `#13` `#3` `#2` `#116` `#115` `#7` `#6`
PSAPI.DLL	`GetProcessMemoryInfo`
IPHLPAPI.DLL	`GetAdaptersAddresses`
USERENV.dll	`GetUserProfileDirectoryW`
CRYPT32.dll	`CertDuplicateCertificateContext` `CertFreeCertificateContext` `CertGetCertificateContextProperty` `CertEnumCertificatesInStore` `CertCloseStore` `CertFindCertificateInStore` `CertOpenStore`
KERNEL32.dll	`ExpandEnvironmentStringsA` `GetModuleFileNameA` `FindFirstFileA` `GetCurrentProcess` `FindNextFileA` `GetEnvironmentVariableA` `FindClose` `GetFileAttributesA` `CloseHandle` `ExitProcess` `MultiByteToWideChar` `SetPriorityClass` `SetThreadPriority` `GetCurrentThread` `GetProcAddress` `GetModuleHandleW` `FreeConsole` `GetConsoleWindow` `VirtualProtect` `VirtualFree` `VirtualAlloc` `GetLargePageMinimum` `LocalAlloc` `GetLastError` `LocalFree` `FlushInstructionCache` `DeviceIoControl` `GetModuleFileNameW` `CreateFileW` `GetCurrentThreadId` `AddVectoredExceptionHandler` `SetLastError` `GetSystemTime` `SystemTimeToFileTime` `GetModuleHandleExW` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSectionAndSpinCount` `DeleteCriticalSection` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `SwitchToFiber` `DeleteFiber` `CreateFiber` `FindFirstFileW` `FindNextFileW` `WideCharToMultiByte` `GetFileType` `WriteFile` `ConvertFiberToThread` `ConvertThreadToFiber` `QueryPerformanceCounter` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `FreeLibrary` `LoadLibraryA` `LoadLibraryW` `GetEnvironmentVariableW` `ReadConsoleA` `ReadConsoleW` `GetConsoleScreenBufferInfo` `SetConsoleTextAttribute` `RegisterWaitForSingleObject` `UnregisterWait` `GetConsoleCursorInfo` `DuplicateHandle` `PostQueuedCompletionStatus` `QueueUserWorkItem` `SetConsoleCursorInfo` `FillConsoleOutputCharacterW` `ReadConsoleInputW` `CreateFileA` `WriteConsoleInputW` `FillConsoleOutputAttribute` `WriteConsoleW` `GetNumberOfConsoleInputEvents` `SetConsoleCursorPosition` `VerifyVersionInfoA` `SetEnvironmentVariableW` `InitializeCriticalSection` `GetTempPathW` `GetVersionExW` `FreeEnvironmentStringsW` `LoadResource` `FileTimeToSystemTime` `QueryPerformanceFrequency` `LockResource` `GetSystemInfo` `GetCurrentDirectoryW` `SetCurrentDirectoryW` `VerSetConditionMask` `GlobalMemoryStatusEx` `GetEnvironmentStringsW` `CreateDirectoryW` `ReadFile` `GetFileInformationByHandleEx` `GetFileSizeEx` `GetDiskFreeSpaceW` `RemoveDirectoryW` `GetFinalPathNameByHandleW` `SetFileTime` `ReOpenFile` `CreateHardLinkW` `GetFileAttributesW` `UnmapViewOfFile` `GetFileInformationByHandle` `FlushViewOfFile` `SetFilePointerEx` `CreateFileMappingA` `MoveFileExW` `CopyFileW` `CreateSymbolicLinkW` `MapViewOfFile` `FlushFileBuffers` `SetConsoleCtrlHandler` `Sleep` `GetLongPathNameW` `RtlUnwind` `ReadDirectoryChangesW` `CreateIoCompletionPort` `CancelIo` `SetHandleInformation` `CreateEventA` `SetFileCompletionNotificationModes` `FormatMessageA` `LoadLibraryExW` `SetErrorMode` `GetQueuedCompletionStatus` `GetQueuedCompletionStatusEx` `SetNamedPipeHandleState` `CreateNamedPipeW` `PeekNamedPipe` `WaitForSingleObject` `CancelSynchronousIo` `GetNamedPipeHandleStateA` `CancelIoEx` `SwitchToThread` `ConnectNamedPipe` `TerminateProcess` `UnregisterWaitEx` `LCMapStringW` `GetExitCodeProcess` `SleepConditionVariableCS` `TryEnterCriticalSection` `ReleaseSemaphore` `WakeConditionVariable` `InitializeConditionVariable` `ResumeThread` `SetEvent` `GetNativeSystemInfo` `CreateSemaphoreA` `GetModuleHandleA` `DebugBreak` `GetStartupInfoW` `GetProcessAffinityMask` `SetProcessAffinityMask` `SetThreadAffinityMask` `GetThreadTimes` `GetNumaHighestNodeNumber` `DeleteTimerQueueTimer` `ChangeTimerQueueTimer` `CreateTimerQueueTimer` `GetLogicalProcessorInformation` `GetThreadPriority` `CreateThread` `SignalObjectAndWait` `CreateTimerQueue` `InitializeSListHead` `IsDebuggerPresent` `IsProcessorFeaturePresent` `SizeofResource` `GetConsoleMode` `SetConsoleMode` `FreeLibraryAndExitThread` `InterlockedPopEntrySList` `FindResourceW` `GetStdHandle` `SetConsoleTitleA` `InterlockedPushEntrySList` `InterlockedFlushSList` `QueryDepthSList` `RtlUnwindEx` `RtlPcToFileHeader` `RaiseException` `GetCommandLineA` `GetCommandLineW` `GetDriveTypeW` `SystemTimeToTzSpecificLocalTime` `SetStdHandle` `GetConsoleCP` `GetFileAttributesExW` `SetFileAttributesW` `ExitThread` `GetACP` `HeapReAlloc` `HeapFree` `HeapAlloc` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW` `HeapSize` `GetFullPathNameW` `SetEndOfFile` `GetTimeZoneInformation` `FindFirstFileExA` `IsValidCodePage` `GetOEMCP` `SetEnvironmentVariableA` `GetProcessHeap` `GetShortPathNameW` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `ResetEvent` `GetStringTypeW` `GetLocaleInfoW` `CompareStringW` `GetTickCount` `CreateEventW` `GetCPInfo` `WaitForSingleObjectEx` `GetExitCodeThread` `EncodePointer` `DecodePointer`
USER32.dll	`TranslateMessage` `DispatchMessageA` `GetProcessWindowStation` `ShowWindow` `MessageBoxW` `GetUserObjectInformationW` `MapVirtualKeyW` `GetSystemMetrics` `GetMessageA`
SHELL32.dll	`ShellExecuteExA` `SHGetSpecialFolderPathA`
ADVAPI32.dll	`CryptAcquireContextA` `CryptGenRandom` `GetUserNameW` `CryptEnumProvidersW` `CryptSignHashW` `CryptDestroyHash` `CryptCreateHash` `CryptDecrypt` `CryptExportKey` `CryptGetUserKey` `CryptGetProvParam` `CryptSetHashParam` `CryptDestroyKey` `CryptReleaseContext` `CryptAcquireContextW` `ReportEventW` `RegisterEventSourceW` `DeregisterEventSource` `CreateServiceW` `QueryServiceStatus` `CloseServiceHandle` `OpenSCManagerW` `QueryServiceConfigA` `DeleteService` `ControlService` `StartServiceW` `OpenServiceW` `LookupPrivilegeValueW` `AdjustTokenPrivileges` `LsaOpenPolicy` `LsaAddAccountRights` `LsaClose` `RegCreateKeyA` `RegSetValueA` `RegQueryValueExA` `RegSetValueExA` `OpenProcessToken` `RegOpenKeyExA` `GetTokenInformation`
urlmon.dll	`URLDownloadToFileA`
ntdll.dll	`RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `NtQuerySystemInformation`
bcrypt.dll	`BCryptGenRandom`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xd228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.65512`
MD5	`8169bae42bb2b7aecb873df66d7f9ca2`
SHA1	`de971ed6fdf6d22089d49c5d870742866dde04df`
SHA256	`e611a23ac6de9ae8a81a698dc6f3ac55580ba7b6fe95b223bb906942df9a0176`
SHA3	`374e8d24f8c1bc7b888d214fcf1f06fb48717b3cb322f7ad2f56458b29dc1700`

101

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.01924`
Detected Filetype	Icon file
MD5	`95a748887c173a3d92a9213fac7fac78`
SHA1	`c560c9dcace07f0b0ca35cdb9461dc6d1b7533fe`
SHA256	`289d7eefbc7798905c91badc69da6071dddff63610b095041e83068b6da850fc`
SHA3	`0e2c994139555d21e74baabee761e026203b2d922c8653cad31a9e6705283248`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x1e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.15609`
MD5	`67b98aa9e253a75b1a58737fa24cbfe2`
SHA1	`689299c7c1a4734b4e488ebf3745dc5fd250bcfc`
SHA256	`d220d00b3cdcc3a49e1443c2fc6b45063b64188bf346cec511c0a08a6f71ad65`
SHA3	`c6a332003bbef71f7e1beda56a1fc30a79cc3d015df949e5e3e21d0a14aaac17`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.2.3.0
ProductVersion	6.2.3.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
OriginalFilename	xmrig.exe

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2020-Jul-27 03:03:23
Version	`0.0`
SizeofData	`1208`
AddressOfRawData	`0x3f2ac4`
PointerToRawData	`0x3f14c4`

TLS Callbacks

StartAddressOfRawData	`0x1403f2fa0`
EndAddressOfRawData	`0x1403f2fbc`
AddressOfIndex	`0x1404394c8`
AddressOfCallbacks	`0x1402efdb0`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`0x000000014029DB34`

Load Configuration

Size	`0x100`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140429598`

RICH Header

XOR Key	`0x199b51cb`
Unmarked objects	`0`
C objects (24610)	`24`
ASM objects (24610)	`13`
C++ objects (24610)	`188`
199 (41118)	`4`
ASM objects (VS 2015/2017 runtime 26706)	`9`
C++ objects (VS 2015/2017 runtime 26706)	`128`
C objects (VS 2015/2017 runtime 26706)	`38`
C objects (27042)	`16`
Imports (24610)	`25`
Total imports	`365`
C objects (VS2017 v15.9.14-15 compiler 27032)	`564`
265 (27042)	`256`
ASM objects (27042)	`5`
Resource objects (27042)	`1`
151	`1`
Linker (27042)	`1`

a198b777e1edc475091c9fb0d4ecc530

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

_TEXT_ad

_RANDOMX

_SHA3_25

_TEXT_CN

_TEXT_CN (#2)

.rsrc

.reloc

Imports

Delayed Imports

1

101

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors