Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 31, 2021, 10:25 a.m.	March 31, 2021, 10:36 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c952383a9e62b399001ebbb03468d786`
SHA256	`f45992d5769523b5380d45fe1a40f2c921eabf98b695d2c2b272bcde12cab75e`
CRC32	`0100365A`
ssdeep	`49152:xA6ESVrsSkp1tRzRHON1ykC24GecSjPzUNSdnRG:xA6xRkt9RH8vLccSjPl`
Yara	PE_Header_Zero - PE File Signature Zero Antivirus - Contains references to security software network_http - Communications over HTTP win_mutex - Create or check mutex win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

csrss.exe "C:\Users\test22\AppData\Local\Temp\csrss.exe"
2616
- notepad.exe "C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
  7528
- cmd.exe cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
  1160
  - wscript.exe WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
    8104

Name	Response	Post-Analysis Lookup
pool.supportxmr.com	A 91.121.140.167 A 94.23.247.226 CNAME pool-fr.supportxmr.com A 37.187.95.110 A 94.23.23.52 A 149.202.83.171	94.23.247.226

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
45.144.225.135	Active	Moloch
91.121.140.167	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 31, 2021, 10:23 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://45.144.225.135/config.txt

Performs some HTTP requests (1 event)

request

GET http://45.144.225.135/config.txt

Allocates read-write-execute memory (usually to unpack itself) (39 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:24 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:25 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:25 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:25 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:25 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:25 a.m.	process_identifier: 2616 region_size: 1916928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 7528 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 7528 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002420000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 7528 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002ae0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 7528 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002bc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 31, 2021, 10:23 a.m.	process_identifier: 8104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

csrss.exe tried to sleep 234 seconds, actually delayed analysis time by 234 seconds

Creates a suspicious process (1 event)

cmdline

cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 31, 2021, 10:23 a.m.	thread_identifier: 2776 thread_handle: 0x0000027c process_identifier: 1160 current_directory: filepath: track: 1 command_line: cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000278	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (42 events)

Time & API	Arguments	Status	Return
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: mobsync.exe process_identifier: 5204	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 5788	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: taskhost.exe process_identifier: 6464	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: cmd.exe process_identifier: 5780	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: conhost.exe process_identifier: 2328	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 2952	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: csrss.exe process_identifier: 2616	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: slui.exe process_identifier: 5776	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: 犚 process_identifier: 4402392		0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: notepad.exe process_identifier: 7528	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: taskhost.exe process_identifier: 5656	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: cmd.exe process_identifier: 8752	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: conhost.exe process_identifier: 6952	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 8948	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: cmd.exe process_identifier: 7816	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: conhost.exe process_identifier: 6472	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 3360	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: cmd.exe process_identifier: 3812	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: conhost.exe process_identifier: 7112	1	1
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 9024	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: cmd.exe process_identifier: 8300	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: conhost.exe process_identifier: 4404	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 1756	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000258 process_name: cmd.exe process_identifier: 6980	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 4780	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000258 process_name: pw.exe process_identifier: 8628	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: slui.exe process_identifier: 9100	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: cmd.exe process_identifier: 3968	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: conhost.exe process_identifier: 3980	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 4764	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: cmd.exe process_identifier: 9112	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: conhost.exe process_identifier: 6552	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 5596	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: cmd.exe process_identifier: 2728	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: conhost.exe process_identifier: 7000	1	1
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 8604	1	1
Process32NextW March 31, 2021, 10:25 a.m.	snapshot_handle: 0x000000cc process_name: cmd.exe process_identifier: 8700	1	1
Process32NextW March 31, 2021, 10:25 a.m.	snapshot_handle: 0x000000cc process_name: conhost.exe process_identifier: 6688	1	1
Process32NextW March 31, 2021, 10:25 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 7632	1	1
Process32NextW March 31, 2021, 10:25 a.m.	snapshot_handle: 0x00000200 process_name: cmd.exe process_identifier: 1904	1	1
Process32NextW March 31, 2021, 10:25 a.m.	snapshot_handle: 0x00000200 process_name: conhost.exe process_identifier: 1032	1	1
Process32NextW March 31, 2021, 10:25 a.m.	snapshot_handle: 0x00000200 process_name: pw.exe process_identifier: 7056	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001c5200', u'virtual_address': u'0x0000c000', u'entropy': 7.967798999296189, u'name': u'.data', u'virtual_size': u'0x001c6f28'}

entropy

7.9677989993

description

A section with a high entropy has been found

entropy

0.9765625

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (38 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x00000278 process_name: slui.exe process_identifier: 5776		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 8948		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000027c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000028c process_name: pw.exe process_identifier: 3360		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x0000028c process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x00000258 process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:23 a.m.	snapshot_handle: 0x00000258 process_name: pw.exe process_identifier: 9024		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000258 process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000258 process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 1756		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000258 process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000258 process_name: pw.exe process_identifier: 8628		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000258 process_name: pw.exe process_identifier: 8628		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000258 process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000224 process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000200 process_name: pw.exe process_identifier: 4764		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x000000cc process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000200 process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000200 process_name: pw.exe process_identifier: 5596		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000200 process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000200 process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:24 a.m.	snapshot_handle: 0x00000200 process_name: pw.exe process_identifier: 8604		0	0
Process32NextW March 31, 2021, 10:25 a.m.	snapshot_handle: 0x00000200 process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:25 a.m.	snapshot_handle: 0x00000200 process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:25 a.m.	snapshot_handle: 0x000000cc process_name: pw.exe process_identifier: 7632		0	0
Process32NextW March 31, 2021, 10:25 a.m.	snapshot_handle: 0x00000200 process_name: taskhost.exe process_identifier: 5656		0	0
Process32NextW March 31, 2021, 10:25 a.m.	snapshot_handle: 0x00000200 process_name: pw.exe process_identifier: 7056		0	0

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	45.144.225.135

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW March 31, 2021, 10:23 a.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\Windows\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\Windows\WinRing0x64.sys desired_access: 983551 service_handle: 0x0000000000c47c80 error_control: 1 service_type: 1 service_manager_handle: 0x0000000000c47ad0	1	12876928	0

Deletes executed files from disk (1 event)

file	C:\ProgramData\LKBNMTFJgl\r.vbs

Network communications indicative of possible code injection originated from the process csrss.exe (3 events)

Time & API	Arguments	Status	Return
InternetCrackUrlA March 31, 2021, 10:23 a.m.	url: http://45.144.225.135/config.txt flags: 0	1	1
InternetConnectA March 31, 2021, 10:23 a.m.	username: service: 3 hostname: 45.144.225.135 internet_handle: 0x00cc0004 flags: 0 password: port: 80	1	13369352
HttpOpenRequestA March 31, 2021, 10:23 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2221732608 http_method: GET referer: path: /config.txt	1	13369356

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.FamVT.LozakaD.Trojan
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Mint.Zard.25
FireEye	Generic.mg.c952383a9e62b399
McAfee	GenericRXNE-HV!C952383A9E62
Cylance	Unsafe
Zillya	Trojan.CoinMiner.Win32.27009
Sangfor	Miner.Win32.Remix_25.se
Cybereason	malicious.a9e62b
Arcabit	Trojan.Mint.Zard.25
BitDefenderTheta	AI:Packer.A3DF1C0E1E
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:CoinminerX-gen [Trj]
ClamAV	Win.Trojan.Zard-9778604-0
Kaspersky	Trojan.Win32.BitCoinMiner.etj
BitDefender	Gen:Heur.Mint.Zard.25
NANO-Antivirus	Riskware.Win32.BitMiner.hlxrop
Tencent	Win32.Trojan.Coinminer.Syri
Ad-Aware	Gen:Heur.Mint.Zard.25
Emsisoft	Gen:Heur.Mint.Zard.25 (B)
Comodo	Application.Win32.CoinMiner.BEX@7pt9re
DrWeb	Trojan.Siggen9.54415
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Sophos	Troj/AutoG-JQ
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.BitCoinMiner.ht
eGambit	Unsafe.AI_Score_99%
Avira	TR/ATRAPS.Gen
Microsoft	Trojan:Win32/CoinMiner.BW!bit
ZoneAlarm	Trojan.Win32.BitCoinMiner.etj
GData	Gen:Heur.Mint.Zard.25
Cynet	Malicious (score: 100)
AhnLab-V3	Win-Trojan/Malpacked3.Gen
Acronis	suspicious
VBA32	BScope.Trojan.BtcMine
ALYac	Gen:Heur.Mint.Zard.25
MAX	malware (ai score=84)
Malwarebytes	Nimnul.Virus.FileInfector.DDS
ESET-NOD32	a variant of Win32/CoinMiner.BHW
Rising	Trojan.CoinMiner!1.C747 (RDMK:cmRtazpo4rs4ehNUr5KT0luHYTo3)
Yandex	Trojan.GenAsa!bNe2xAxJt+s
Ikarus	Trojan.Win32.CoinMiner
MaxSecure	Trojan.Malware.103086622.susgen
Fortinet	W32/CoinMiner.BHW!tr
AVG	Win32:CoinminerX-gen [Trj]
Panda	Trj/Genetic.gen
Qihoo-360	HEUR/QVM20.1.2189.Malware.Gen

csrss.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All