Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 6, 2025, 9:36 p.m.	May 6, 2025, 9:39 p.m.

Size	6.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`530058a2734e0c83cf81f50a43bdb243`
SHA256	`dde8a15bf633b6ffd33dd485ae6c97fc3aecc87978fcdb9dbc0bcfa2aa3b5491`
CRC32	`441697FC`
ssdeep	`98304:NtRK2Xvf49fuI0nBkLuFvJr4XGCkc/zF2fz5IZ4ePzpS+KdbjrD/6K+TU3nA:k2Xv42VKzYz6Z4qSndf3D+TU3A`
PDB Path	C:\Users\NotCoder\source\repos\XMRAsAdmin\XMRAsAdmin\obj\Release\XMRAsAdmin.pdb
Yara	PE_Header_Zero - PE File Signature XMRig_Miner_IN - XMRig Miner Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

cHXswWx.exe "C:\Users\test22\AppData\Local\Temp\cHXswWx.exe"
184
- xmrig.exe "C:\Users\test22\AppData\Roaming\xmrig.exe"
  2156
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
pool.hashvault.pro	A 157.20.104.252 A 51.79.163.234	157.20.104.252

IP Address	Status	Action
157.20.104.252	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49165 157.20.104.252:443	None	None	None

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 6, 2025, 9:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 6, 2025, 9:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 6, 2025, 9:36 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 6, 2025, 9:36 p.m.			0	0
IsDebuggerPresent May 6, 2025, 9:36 p.m.			0	0

Command line console output was observed (50 out of 164 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: ABOUT console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: XMRig/6.22.2 console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: MSVC/2019 console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: (built for Windows console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: x86-64, console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: 64 bit) console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: LIBS libuv/1.49.2 OpenSSL/3.0.15 hwloc/2.11.2 console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: HUGE PAGES console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: permission granted console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: 1GB PAGES console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: unavailable console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: CPU Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz (1) console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: 64-bit console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: AES console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: VM console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: L2: console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: 0.5 MB console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: L3: console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: 18.0 MB console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: C console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: T console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: NUMA: console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: MEMORY console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: GB console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: MOTHERBOARD console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: innotek GmbH console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: VirtualBox console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: DONATE console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: ASSEMBLY auto: console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: intel console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: POOL #1 console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: pool.hashvault.pro:443 console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: algo console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: auto console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: COMMANDS console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: h console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: ashrate, console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: p console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: ause, console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: r console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: esume, console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: re console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: s console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: ults, console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: c console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: onnection console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: OPENCL console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: disabled console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: CUDA console_handle: 0x0000000000000013	1	1
WriteConsoleW May 6, 2025, 9:36 p.m.	buffer: disabled console_handle: 0x0000000000000013	1	1

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey May 6, 2025, 9:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f1608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 6, 2025, 9:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f1648 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 6, 2025, 9:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f1648 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\NotCoder\source\repos\XMRAsAdmin\XMRAsAdmin\obj\Release\XMRAsAdmin.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 6, 2025, 9:36 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (33 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cdf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000067e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 2156 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 2156 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000205d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 2156 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000209e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 2156 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020a80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 2156 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020ba0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 2156 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020bd0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 2156 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 6, 2025, 9:36 p.m.	process_identifier: 2156 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020d10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\xmrig.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemServiceManager.lnk

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemServiceManager.lnk

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 6, 2025, 9:36 p.m.	thread_identifier: 2160 thread_handle: 0x000003c0 process_identifier: 2156 current_directory: C:\Users\test22\AppData\Roaming filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\xmrig.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003bc	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 6, 2025, 9:36 p.m.	flags: 14 family: 0		111	0

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SystemServiceManager	reg_value	C:\Users\test22\AppData\Local\Temp\cHXswWx.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemServiceManager	reg_value	C:\Users\test22\AppData\Local\Temp\cHXswWx.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemServiceManager.lnk

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW May 6, 2025, 9:36 p.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\Users\test22\AppData\Roaming\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\Users\test22\AppData\Roaming\WinRing0x64.sys desired_access: 983551 service_handle: 0x00000000001af5f0 error_control: 1 service_type: 1 service_manager_handle: 0x00000000001af5c0	1	1766896	0

A stratum cryptocurrency mining command was executed (1 event)

cmdline

"C:\Users\test22\AppData\Roaming\xmrig.exe"

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 6, 2025, 9:36 p.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware.CS
CAT-QuickHeal	Trojan.Ghanarava.1746530750bdb243
ALYac	Gen:Variant.Application.Miner.2
Cylance	Unsafe
VIPRE	Gen:Variant.Application.Miner.2
Sangfor	Trojan.Win64.XMR.Miner
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Application.Miner.2
Arcabit	Trojan.Application.Miner.2
Symantec	ML.Attribute.HighConfidence
Elastic	Multi.Cryptominer.Xmrig
ESET-NOD32	a variant of Win64/CoinMiner.IZ potentially unwanted
APEX	Malicious
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Coinminer.Generic-7151250-0
Kaspersky	UDS:Exploit.Win32.BypassUAC.a
Alibaba	Trojan:Win32/Coinminer.448
MicroWorld-eScan	Gen:Variant.Application.Miner.2
Rising	HackTool.XMRMiner!1.12867 (CLASSIC)
Emsisoft	Gen:Variant.Application.Miner.2 (B)
DrWeb	Tool.BtcMine.2797
McAfeeD	ti!DDE8A15BF633
CTX	exe.miner.generic
Sophos	XMRig Miner (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Antiy-AVL	Trojan/Win64.CoinMiner.xmr
Kingsoft	malware.kb.c.831
Gridinsoft	Risk.CoinMiner.B.vl!yf
GData	Gen:Variant.Application.Miner.2
McAfee	Artemis!530058A2734E
DeepInstinct	MALICIOUS
Malwarebytes	BitcoinMiner.Trojan.Miner.DDS
Ikarus	PUA.CoinMiner
Tencent	Riskware.Win64.Miner_l.16001723
huorong	Trojan/CoinMiner.hh
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	Riskware/CoinMiner
AVG	Win64:Evo-gen [Trj]
alibabacloud	Miner:Win/CoinMiner.A

cHXswWx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All