Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 8, 2024, 10:55 a.m.	Nov. 8, 2024, 10:57 a.m.

Size	6.9MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`8e487fecb6d9126067b432788db011de`
SHA256	`235c665b25c1e78fed3ca96e57c374e5a416aad1d27b4ae436a1c6c58604268b`
CRC32	`16E18357`
ssdeep	`98304:/vUOUlzvyfQprVfSHy9fierzHjhlTkil3IVcWvy:/vUO6vRvSy1Ll3WJ`
PDB Path	C:\Users\Virtual\Desktop\Biz\RogueMarket\Products\Rogue Miner V2\Review Backup\Er minator\obj\Release\OmegaMiner.pdb
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
1960
- OmegaEngine.exe "C:\Users\test22\Documents\System\OmegaEngine.exe" -B --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero -o xmr-eu2.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero
  2236

Name	Response	Post-Analysis Lookup
xmr-eu1.nanopool.org		51.15.58.224
xmr-eu2.nanopool.org		51.210.150.92

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:56613 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:56613 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:56613 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:56613 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:62576 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:62576 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:53673 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64530 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:62576 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64530 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:62576 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64178 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64530 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64178 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64178 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:50674 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:53658 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:53658 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64178 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:50674 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:50674 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64530 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:53658 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:53658 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
UDP 192.168.56.103:53658 -> 8.8.8.8:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 8, 2024, 10:55 a.m.			0	0
IsDebuggerPresent Nov. 8, 2024, 10:55 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Virtual\Desktop\Biz\RogueMarket\Products\Rogue Miner V2\Review Backup\Er minator\obj\Release\OmegaMiner.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 8, 2024, 10:55 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (43 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c8b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000027b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35f4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93efc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e6d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 8, 2024, 10:55 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 5500928 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\Documents\System\OmegaEngine.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\Documents\System\OmegaEngine.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 8, 2024, 10:55 a.m.	show_type: 0 filepath_r: C:\Users\test22\Documents\System\OmegaEngine.exe parameters: -B --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero -o xmr-eu2.nanopool.org:10343 -u 85SayJHvDATLk8TMFyeQYG3aX3GnPkzbcWnyZ4NkUtVbJTUMdF9GqEn24DtX8c8Qf9c6jKQVWzVLaBEUBS7B8Rjn9413x5b -k --coin monero filepath: C:\Users\test22\Documents\System\OmegaEngine.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 8, 2024, 10:55 a.m.	flags: 14 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 8, 2024, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Miner.4!c
CAT-QuickHeal	Trojan.MsilFC.S29960883
ALYac	IL:Trojan.MSILZilla.13621
Cylance	Unsafe
VIPRE	IL:Trojan.MSILZilla.13621
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	IL:Trojan.MSILZilla.13621
K7GW	Adware ( 0057b6751 )
K7AntiVirus	Adware ( 0057b6751 )
Arcabit	IL:Trojan.MSILZilla.D3535
VirIT	Trojan.Win32.MSIL.FZD
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/CoinMiner.JU potentially unwanted
Avast	Win32:Miner-HM [PUP]
Kaspersky	HEUR:Trojan.MSIL.Miner.gen
Alibaba	Trojan:MSIL/CoinMiner.20f1222f
NANO-Antivirus	Trojan.Win32.CoinMiner.ktftlh
MicroWorld-eScan	IL:Trojan.MSILZilla.13621
Rising	HackTool.VulnDriver/x64!1.D7DB (CLASSIC)
Emsisoft	IL:Trojan.MSILZilla.13621 (B)
DrWeb	Trojan.MulDrop19.19654
McAfeeD	ti!235C665B25C1
CTX	exe.trojan.msil
Sophos	Mal/Generic-S
Ikarus	PUA.CoinMiner
FireEye	Generic.mg.8e487fecb6d91260
Jiangmin	Trojan.MSIL.alswv
Google	Detected
Antiy-AVL	Trojan/MSIL.Miner
Kingsoft	MSIL.Trojan.Miner.gen
Gridinsoft	Trojan.Win32.XMRig.tr
Xcitium	ApplicUnwnt@#342fj88k1dk7q
Microsoft	Trojan:MSIL/CoinMiner.NL!MTB
ZoneAlarm	HEUR:Trojan.MSIL.Miner.gen
GData	IL:Trojan.MSILZilla.13621
Varist	W32/ABMiner.XPHS-1153
AhnLab-V3	Trojan/Win.MSILKrypt.R511615
McAfee	GenericRXAA-FA!8E487FECB6D9
DeepInstinct	MALICIOUS
VBA32	TScope.Trojan.MSIL
Malwarebytes	Malware.AI.4261160785
Panda	Trj/GdSda.A
Tencent	Malware.Win32.Gencirc.10be9a46
Yandex	Trojan.Miner!epmMOkZEavY
huorong	Trojan/CoinMiner.hh
Fortinet	Riskware/Miner
AVG	Win32:Miner-HM [PUP]
Paloalto	generic.ml

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All