popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

dd.exe

XMRig Miner Gen1 Suspicious_Script_Bin Generic Malware UPX Malicious Library Malicious Packer PE64 PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 19, 2024, 9:53 a.m. June 19, 2024, 9:57 a.m.
Size 3.0MB
Type PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5 d27a00984e82dbfc554df8a53e03cbcc
SHA256 b8d92a1b30253b1525bbf7e1e38429291cb68085f0886c35cbee22baa66d024b
CRC32 B8A0B5D1
ssdeep 49152:YKoiWztohDIZZYiOG2qPX4xRgPZcUAtijL+kOqxvDUuPBBVFJt6NGGTDVOXLyagR:YKRWJ6sDYI2qPX4fgPZcUAUjSkXvDUiG
PDB Path d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
pool.hashvault.pro
A 131.153.76.130
A 125.253.92.50
125.253.92.50
IP Address Status Action
125.253.92.50 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:54148 -> 164.124.101.2:53 2036289 ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) Crypto Currency Mining Activity Detected
TCP 192.168.56.101:49171 -> 125.253.92.50:8888 2024792 ET POLICY Cryptocurrency Miner Checkin Potential Corporate Privacy Violation
TCP 192.168.56.101:49171 -> 125.253.92.50:8888 2024792 ET POLICY Cryptocurrency Miner Checkin Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Windows\debug\dd>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\WINDOWS\Debug\dd\svchost.exe
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: install "Networks5" C:\WINDOWS\Debug\dd\systems.exe
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\debug\dd>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: sc
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: config "Networks5" DisplayName= "Networksrs5"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\debug\dd>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: sc
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: description "Networks5" "Microsoft Windows Networks"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\debug\dd>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Set
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ProcessName=systems.exe
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\debug\dd>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: sc
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start "Networks5"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\debug\dd>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: attrib
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\debug\dd +h +a
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\debug\dd>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: attrib
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\debug\dd\*.json +h +a +s +r
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\debug\dd>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: attrib
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\debug\dd\*.exe +h +a +s +r
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\debug\dd>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: netsh
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: S
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: e
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: r
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: v
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: i
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: c
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: e
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: N
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: e
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: t
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: w
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: o
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: r
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: k
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: s
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: i
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: n
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: s
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: t
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: a
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: l
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: l
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: e
console_handle: 0x0000000f
1 1 0
pdb_path d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x733d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73394000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x733d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73951000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76281000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75bc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75d21000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73921000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73761000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73251000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x730d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72c21000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72c11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76281000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75bc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75d21000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x729b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72961000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72681000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72661000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72631000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x725f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x725d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72541000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75b71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x724c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x724b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72491000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72481000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72441000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72401000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x723c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72371000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72301000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72241000
process_handle: 0xffffffff
1 0 0
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0005154c size 0x00000bb6
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00052a7c size 0x000008a8
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00052a7c size 0x000008a8
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00052a7c size 0x000008a8
name RT_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00052a7c size 0x000008a8
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000539bc size 0x000001ce
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000539bc size 0x000001ce
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000539bc size 0x000001ce
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000539bc size 0x000001ce
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000539bc size 0x000001ce
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000539bc size 0x000001ce
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054250 size 0x0000004a
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054250 size 0x0000004a
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054250 size 0x0000004a
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054250 size 0x0000004a
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054250 size 0x0000004a
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054250 size 0x0000004a
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054250 size 0x0000004a
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054250 size 0x0000004a
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054250 size 0x0000004a
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0005429c size 0x0000003e
name RT_MANIFEST language LANG_CHINESE filetype XML 1.0 document, ASCII text, with CRLF line terminators sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000542dc size 0x000006ca
file C:\Windows\debug\dd\svchost.exe
file C:\Windows\debug\dd\systems.exe
file C:\Windows\debug\dd\cmd.bat
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: Networks5
filepath: C:\Windows\debug\dd\svchost.exe
service_name: Networks5
filepath_r: C:\WINDOWS\Debug\dd\svchost.exe
desired_access: 983551
service_handle: 0x0084c758
error_control: 1
service_type: 16
service_manager_handle: 0x0084c7f8
1 8701784 0
cmdline C:\WINDOWS\Debug\dd\svchost.exe install "Networks5" C:\WINDOWS\Debug\dd\systems.exe
file C:\Windows\debug\dd\cmd.bat
file C:\Windows\debug\dd\svchost.exe
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2832
thread_handle: 0x000000f8
process_identifier: 2828
current_directory: C:\Windows\debug\dd
filepath: C:\Windows\debug\dd\svchost.exe
track: 1
command_line: C:\WINDOWS\Debug\dd\svchost.exe install "Networks5" C:\WINDOWS\Debug\dd\systems.exe
filepath_r: C:\WINDOWS\Debug\dd\svchost.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000000f4
1 1 0
cmdline attrib C:\Windows\debug\dd\*.exe +h +a +s +r
cmdline sc start "Networks5"
cmdline sc config "Networks5" DisplayName= "Networksrs5"
cmdline netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
cmdline sc description "Networks5" "Microsoft Windows Networks"
cmdline attrib C:\Windows\debug\dd\*.json +h +a +s +r
cmdline attrib C:\Windows\debug\dd +h +a
service_name Networks5 service_path C:\Windows\debug\dd\svchost.exe
cmdline netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
Lionic Trojan.Win32.Hory.4!c
Elastic malicious (moderate confidence)
Cynet Malicious (score: 99)
CAT-QuickHeal JSON.CoinMiner.45049
Skyhigh BehavesLike.Win32.Dropper.vc
ALYac Trojan.GenericKD.71587254
Cylance Unsafe
VIPRE Trojan.Zmutzy.Hory.1
Sangfor CoinMiner.Win64.Agent.Vigv
K7AntiVirus Riskware ( 005622c31 )
BitDefender Trojan.Zmutzy.Hory.1
K7GW Riskware ( 005622c31 )
Cybereason malicious.84e82d
Arcabit Trojan.Zmutzy.Hory.1 [many]
Symantec Trojan.Gen.MBT
ESET-NOD32 Win64/CoinMiner.RO potentially unwanted
APEX Malicious
McAfee Artemis!D27A00984E82
Avast BV:Miner-HA [PUP]
ClamAV Win.Coinminer.Generic-7151250-0
Kaspersky HEUR:Trojan.Win32.Miner.gen
Alibaba TrojanDropper:Win64/Miners.c48f52d0
NANO-Antivirus Riskware.Win64.BitCoinMiner.keeqag
MicroWorld-eScan Trojan.Zmutzy.Hory.1
Rising HackTool.VulnDriver/x64!1.D7DB (CLASSIC)
Emsisoft Trojan.Zmutzy.Hory.1 (B)
F-Secure PotentialRisk.PUA/CoinMiner.bencb
DrWeb Tool.Nssm.5
Zillya Tool.BitCoinMiner.Win32.42967
TrendMicro Trojan.Win64.BITCOINMINER.R002C0DKN23
McAfeeD ti!B8D92A1B3025
FireEye Trojan.Zmutzy.Hory.1
Sophos Generic Reputation PUA (PUA)
Ikarus Trojan.Win64.DisguisedXMRigMiner
Jiangmin RiskTool.BitCoinMiner.aupw
Google Detected
Avira PUA/CoinMiner.bencb
MAX malware (ai score=86)
Antiy-AVL RiskWare/Win32.VulnDriver
Gridinsoft Trojan.Win32.XMRig.tr
Xcitium ApplicUnwnt@#21tod6o0kzkcr
Microsoft Trojan:Win64/DisguisedXMRigMiner
ZoneAlarm HEUR:Trojan.Win64.Reincarnation.gen
GData Win32.Application.CoinMiner.Y
Varist W64/Coinminer.BN.gen!Eldorado
DeepInstinct MALICIOUS
VBA32 Trojan.Win64.XMRigMiner
Malwarebytes Malware.AI.1392274238
Panda Trj/CI.A
Tencent Win64.Risk.Bitminer.Gplw