Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561926
MD5: 978752b65601018ddd10636b648b8e65
SHA1: 2c0e320cb0d84c6760a925d873d58e701e3e6cb1
SHA256: 8bf64a9906e8177eab206dac3a550bc5918213659f98eac6295b8e24184eb782
Tags: CoinMinerexeuser-Bitsight
Infos:

Detection

Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
DNS related to crypt mining pools
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Conhost Spawned By Uncommon Parent Process
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.4% probability

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 23.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.2486993892.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2487104363.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.3264299114.00000000012F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6504, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3524, type: MEMORYSTR
DNS related to crypt mining pools
Source: unknown DNS query: name: xmr-eu2.nanopool.org
Found strings related to Crypto-Mining
Source: explorer.exe, 00000017.00000002.2487104363.0000000140001000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: explorer.exe String found in binary or memory: cryptonight/0
Source: explorer.exe, 00000017.00000002.2487104363.0000000140001000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: autorunsc64a.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: autorunsc64a.pdb= source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Autoruns.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Autoruns64a.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Autoruns64.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: autorunsc.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utorunsc.pdb source: explorer.exe, 00000012.00000002.3264572586.000000000162E000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: explorer.exe, 00000012.00000003.2516037085.00000000054AC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3265796424.00000000054CB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2312256260.0000000001350000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354445600.00000000054AC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2703350861.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2672721393.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2550085788.00000000054CD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utorunsc64.pdb source: explorer.exe, 00000012.00000002.3264572586.000000000162E000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: autorunsc64.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utoruns64a.pdb source: explorer.exe, 00000012.00000002.3264572586.000000000162E000.00000004.00000010.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA132DE0 FindFirstFileExW, 17_2_00007FF7AA132DE0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA16CE3C GetFileAttributesW,FindFirstFileW,FindClose, 17_2_00007FF7AA16CE3C
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752042DE0 FindFirstFileExW, 20_2_00007FF752042DE0
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75207CE3C GetFileAttributesW,FindFirstFileW,FindClose, 20_2_00007FF75207CE3C
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\29442 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\29442\ Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 163.172.171.111 10343 Jump to behavior
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49735 -> 163.172.171.111:10343
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: DqnJUgbSFuO.DqnJUgbSFuO
Source: global traffic DNS traffic detected: DNS query: xmr-eu2.nanopool.org
Source: file.exe String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: explorer.exe, 00000012.00000002.3265796424.0000000005480000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl
Source: explorer.exe, 00000012.00000003.2611556085.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354530325.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354580125.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3264505846.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2703373555.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354530325.00000000013C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.cloudflare.com/origin_ca.crl0
Source: file.exe String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000012.00000003.2642127911.0000000001335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3264409592.0000000001336000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.cloudflare.com/origin_ca
Source: explorer.exe, 00000012.00000003.2611556085.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354530325.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354580125.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3264505846.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2703373555.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3265796424.0000000005480000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354530325.00000000013C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.cloudflare.com/origin_ca0
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe String found in binary or memory: http://ocsp.entrust.net03
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Reynolds.com, ZeusChat.scr String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, Reynolds.com, 0000000A.00000000.2066097134.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmp, ZeusChat.scr, 00000010.00000000.2205239967.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmp, Reynolds.com, 00000011.00000000.2255000492.00007FF7AA1E4000.00000002.00000001.01000000.00000007.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2411864117.0000000015614000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr, 00000014.00000000.2409093623.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmp, ZeusChat.scr, 00000015.00000000.2415165241.00007FF7520F4000.00000002.00000001.01000000.00000009.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.dr String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: file.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe String found in binary or memory: http://www.entrust.net/rpa03
Source: explorer.exe, 00000012.00000002.3264299114.00000000012F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/horsicq/DIE-engine
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: file.exe String found in binary or memory: https://www.entrust.net/rpa0
Source: Tech.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69B00A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2313532248.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, ZeusChat.scr.10.dr, Reynolds.com.2.dr, Tech.0.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: explorer.exe, 00000012.00000002.3264299114.00000000012F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.virustotal.com/en/search/?query=
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050F9
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Americans entropy: 7.99760011473 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Satin entropy: 7.99764862118 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Rid entropy: 7.9977091016 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Eagle entropy: 7.99799114247 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Matching entropy: 7.99710399078 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Eugene entropy: 7.99803047909 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Smithsonian entropy: 7.99798906004 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Exhibits entropy: 7.99744911231 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Psychiatry entropy: 7.99633350563 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Through entropy: 7.99745463306 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Dealing entropy: 7.99815989653 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Carlo entropy: 7.99711927339 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Hotel entropy: 7.99835032646 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Landscape entropy: 7.99751935648 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Wendy entropy: 7.99809069172 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Expert entropy: 7.99780337689 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Turns entropy: 7.99807412881 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Holdem entropy: 7.99752904365 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Ai entropy: 7.99764618877 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Households entropy: 7.99708688405 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Guy entropy: 7.99699953217 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Result entropy: 7.99746905943 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Elliott entropy: 7.99808822812 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Norway entropy: 7.99778041078 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Exempt entropy: 7.99612802037 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Blvd entropy: 7.99621538932 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Jungle entropy: 7.99756807934 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Biodiversity entropy: 7.99816036628 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Chan entropy: 7.99708921533 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Typical entropy: 7.99755405965 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Def entropy: 7.99714947873 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Ebooks entropy: 7.99790460139 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Odds entropy: 7.99741776079 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Peeing entropy: 7.99746302181 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Innocent entropy: 7.99812179691 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Sucking entropy: 7.99806777596 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Resolutions entropy: 7.99730244217 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Delaware entropy: 7.99692887592 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Tm entropy: 7.99791944878 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Actual entropy: 7.99741011645 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Drums entropy: 7.99729494549 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Lambda entropy: 7.99792392141 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Same entropy: 7.99747556 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Games entropy: 7.99745741408 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Jpg entropy: 7.99792471662 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Individuals entropy: 7.99688013161 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Nervous entropy: 7.99786086382 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Seafood entropy: 7.99764350559 Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\29442\l entropy: 7.99994417377 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com File created: C:\Users\user\AppData\Local\CyberSphere Dynamics\M entropy: 7.99994417377 Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 23.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 23.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_000002453CA21394 NtAlpcCreatePortSection, 17_2_000002453CA21394
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 21_2_0000014D5CA91394 NtQueryInformationByName, 21_2_0000014D5CA91394
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 0_2_004038AF
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\DownReceptor Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\ComfortSick Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\IdeasApp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\CentralAvoiding Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\JoiningMazda Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\UruguayNorthern Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\MozambiqueAppropriate Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\TeddySecretariat Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\OrganDiscretion Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\VatBukkake Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\KeyboardsTwin Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040737E 0_2_0040737E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406EFE 0_2_00406EFE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004079A2 0_2_004079A2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004049A8 0_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_000002453CA24F10 17_2_000002453CA24F10
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_000002453CA2E6F0 17_2_000002453CA2E6F0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_000002453CA2B550 17_2_000002453CA2B550
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_000002453CA25530 17_2_000002453CA25530
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA132BB0 17_2_00007FF7AA132BB0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA136C74 17_2_00007FF7AA136C74
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA188CB0 17_2_00007FF7AA188CB0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA100950 17_2_00007FF7AA100950
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA0FB9B0 17_2_00007FF7AA0FB9B0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA10EAA8 17_2_00007FF7AA10EAA8
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA1A1F40 17_2_00007FF7AA1A1F40
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA122F6C 17_2_00007FF7AA122F6C
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA11BFC0 17_2_00007FF7AA11BFC0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA10203B 17_2_00007FF7AA10203B
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA10F070 17_2_00007FF7AA10F070
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA11BD44 17_2_00007FF7AA11BD44
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA103D70 17_2_00007FF7AA103D70
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA127DFC 17_2_00007FF7AA127DFC
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA19AE10 17_2_00007FF7AA19AE10
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA0FAEC0 17_2_00007FF7AA0FAEC0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA102EE0 17_2_00007FF7AA102EE0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA129360 17_2_00007FF7AA129360
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA114364 17_2_00007FF7AA114364
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA0F24D4 17_2_00007FF7AA0F24D4
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA11549C 17_2_00007FF7AA11549C
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA13512C 17_2_00007FF7AA13512C
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA19C284 17_2_00007FF7AA19C284
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA11C28C 17_2_00007FF7AA11C28C
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA106260 17_2_00007FF7AA106260
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA132290 17_2_00007FF7AA132290
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA128270 17_2_00007FF7AA128270
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA0F8790 17_2_00007FF7AA0F8790
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA11F760 17_2_00007FF7AA11F760
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA101820 17_2_00007FF7AA101820
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA0F2820 17_2_00007FF7AA0F2820
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA0F4528 17_2_00007FF7AA0F4528
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA1215E0 17_2_00007FF7AA1215E0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA12A650 17_2_00007FF7AA12A650
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA136680 17_2_00007FF7AA136680
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA1316D0 17_2_00007FF7AA1316D0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA1276EC 17_2_00007FF7AA1276EC
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752039360 20_2_00007FF752039360
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752024364 20_2_00007FF752024364
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75202549C 20_2_00007FF75202549C
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF7520024D4 20_2_00007FF7520024D4
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75204512C 20_2_00007FF75204512C
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752038270 20_2_00007FF752038270
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752016260 20_2_00007FF752016260
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75202C28C 20_2_00007FF75202C28C
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752042290 20_2_00007FF752042290
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF7520AC284 20_2_00007FF7520AC284
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75202F760 20_2_00007FF75202F760
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752008790 20_2_00007FF752008790
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752002820 20_2_00007FF752002820
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752011820 20_2_00007FF752011820
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752004528 20_2_00007FF752004528
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF7520315E0 20_2_00007FF7520315E0
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75203A650 20_2_00007FF75203A650
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752046680 20_2_00007FF752046680
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF7520416D0 20_2_00007FF7520416D0
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF7520376EC 20_2_00007FF7520376EC
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752042BB0 20_2_00007FF752042BB0
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752046C74 20_2_00007FF752046C74
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752098CB0 20_2_00007FF752098CB0
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752010950 20_2_00007FF752010950
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75200B9B0 20_2_00007FF75200B9B0
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75201EAA8 20_2_00007FF75201EAA8
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF7520B1F40 20_2_00007FF7520B1F40
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752032F6C 20_2_00007FF752032F6C
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75202BFC0 20_2_00007FF75202BFC0
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75201203B 20_2_00007FF75201203B
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75201F070 20_2_00007FF75201F070
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75202BD44 20_2_00007FF75202BD44
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752013D70 20_2_00007FF752013D70
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF7520AAE10 20_2_00007FF7520AAE10
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752037DFC 20_2_00007FF752037DFC
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75200AEC0 20_2_00007FF75200AEC0
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752012EE0 20_2_00007FF752012EE0
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 21_2_0000014D5CA9B550 21_2_0000014D5CA9B550
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 21_2_0000014D5CA95530 21_2_0000014D5CA95530
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 21_2_0000014D5CA94F10 21_2_0000014D5CA94F10
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 21_2_0000014D5CA9E6F0 21_2_0000014D5CA9E6F0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr 69D2F1718EA284829DDF8C1A0B39742AE59F2F21F152A664BAA01940EF43E353
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com 69D2F1718EA284829DDF8C1A0B39742AE59F2F21F152A664BAA01940EF43E353
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 004062CF appears 58 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 23.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 23.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: classification engine Classification label: mal100.rans.expl.evad.mine.winEXE@38/58@3/1
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA174124 GetLastError,FormatMessageW, 17_2_00007FF7AA174124
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA16C46C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 17_2_00007FF7AA16C46C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA17368C CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 17_2_00007FF7AA17368C
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com File created: C:\Users\user\AppData\Local\CyberSphere Dynamics Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2612:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nsgBEEE.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process created: C:\Windows\explorer.exe Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 29442
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Reynolds.com l
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process created: C:\Windows\System32\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" "C:\Users\user\AppData\Local\CyberSphere Dynamics\M"
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com C:\Users\user\AppData\Local\Temp\29442\Reynolds.com
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr"
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr"
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 29442 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Reynolds.com l Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process created: C:\Windows\System32\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" "C:\Users\user\AppData\Local\CyberSphere Dynamics\M" Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process created: C:\Windows\explorer.exe explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process created: C:\Windows\explorer.exe explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 4389991 > 1048576
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: autorunsc64a.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: autorunsc64a.pdb= source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Autoruns.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Autoruns64a.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Autoruns64.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: autorunsc.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utorunsc.pdb source: explorer.exe, 00000012.00000002.3264572586.000000000162E000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: explorer.exe, 00000012.00000003.2516037085.00000000054AC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3265796424.00000000054CB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2312256260.0000000001350000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2354445600.00000000054AC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2703350861.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2672721393.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2550085788.00000000054CD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utorunsc64.pdb source: explorer.exe, 00000012.00000002.3264572586.000000000162E000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: autorunsc64.pdb source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: utoruns64a.pdb source: explorer.exe, 00000012.00000002.3264572586.000000000162E000.00000004.00000010.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x43515c should be: 0x42fd74
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_000002453CA21394 push qword ptr [000002453CA34004h]; ret 17_2_000002453CA21403
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_000002453CA23A16 push rdx; iretd 17_2_000002453CA23A17
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_000002453CA23788 push rdx; iretd 17_2_000002453CA23789
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA127149 push rdi; ret 17_2_00007FF7AA127152
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA1276AD push rdi; ret 17_2_00007FF7AA1276B4
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752037149 push rdi; ret 20_2_00007FF752037152
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF7520376AD push rdi; ret 20_2_00007FF7520376B4
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 21_2_0000014D5CA91394 push qword ptr [0000014D5CAA4004h]; ret 21_2_0000014D5CA91403
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 21_2_0000014D5CA93A16 push rdx; iretd 21_2_0000014D5CA93A17
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 21_2_0000014D5CA93788 push rdx; iretd 21_2_0000014D5CA93789

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com File created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com File created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Tech Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Tech Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA114364 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 17_2_00007FF7AA114364
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752024364 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 20_2_00007FF752024364
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 4326 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 510 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com API coverage: 0.2 %
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr API coverage: 1.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6208 Thread sleep count: 4326 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6208 Thread sleep time: -86520s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6208 Thread sleep count: 510 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6208 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6208 Thread sleep count: 133 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA132DE0 FindFirstFileExW, 17_2_00007FF7AA132DE0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA16CE3C GetFileAttributesW,FindFirstFileW,FindClose, 17_2_00007FF7AA16CE3C
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752042DE0 FindFirstFileExW, 20_2_00007FF752042DE0
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75207CE3C GetFileAttributesW,FindFirstFileW,FindClose, 20_2_00007FF75207CE3C
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA0F5C44 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary, 17_2_00007FF7AA0F5C44
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\29442 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\29442\ Jump to behavior
Source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000012.00000002.3264299114.0000000001318000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWPX2
Source: C:\Windows\explorer.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA0F3B64 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 17_2_00007FF7AA0F3B64
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA115A40 GetLastError,IsDebuggerPresent,OutputDebugStringW, 17_2_00007FF7AA115A40
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA1341A8 GetProcessHeap, 17_2_00007FF7AA1341A8
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_000002453CA21160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit, 17_2_000002453CA21160
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA12AD08 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00007FF7AA12AD08
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA138E74 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_00007FF7AA138E74
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA115850 SetUnhandledExceptionFilter, 17_2_00007FF7AA115850
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA11566C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00007FF7AA11566C
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752025850 SetUnhandledExceptionFilter, 20_2_00007FF752025850
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75202566C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00007FF75202566C
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF75203AD08 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00007FF75203AD08
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 20_2_00007FF752048E74 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00007FF752048E74
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Code function: 21_2_0000014D5CA91160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit, 21_2_0000014D5CA91160

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 163.172.171.111 10343 Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtProtectVirtualMemory: Direct from: 0x7FF7AA12B26C Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtClose: Direct from: 0x7FF7AA16C3CD
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtQueryInformationToken: Direct from: 0x7FF752093508 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtQueryAttributesFile: Direct from: 0x7FF7AA16D642 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtProtectVirtualMemory: Direct from: 0x7FF7AA16C119 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtReadFile: Direct from: 0x7FF7AA0F7D7F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtQuerySystemInformation: Direct from: 0x7FF7AA16C4AD Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtClose: Direct from: 0x7FF75207C5C7
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtQueryAttributesFile: Direct from: 0x7FF7AA16CE4E Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtDelayExecution: Direct from: 0x7FF752011C92 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtOpenFile: Direct from: 0x7FF7AA16BF1E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtDelayExecution: Direct from: 0x7FF7AA16DFD8 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtProtectVirtualMemory: Direct from: 0x7FF7AA118FF0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtClose: Direct from: 0x7FF7AA16CE61
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtProtectVirtualMemory: Direct from: 0x7FF7520083B5 Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtQuerySystemInformation: Direct from: 0x7FF8C88A26A1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtClose: Direct from: 0x7FF7AA0F8693
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtQuerySystemInformation: Direct from: 0x7FF752024924 Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtQueryAttributesFile: Direct from: 0x7FF75207D642 Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtProtectVirtualMemory: Direct from: 0x7FF75203B26C Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtQueryAttributesFile: Direct from: 0x7FF75207CE4E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtSetInformationFile: Direct from: 0x7FF7AA0F7A79 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtClose: Direct from: 0x7FF7AA16C5C7
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtQuerySystemInformation: Direct from: 0x7FF75207C4AD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtCreateFile: Direct from: 0x7FF7AA0F787C Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtDelayExecution: Direct from: 0x7FF75207DFD8 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtDelayExecution: Direct from: 0x7FF7AA101C92 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtWriteFile: Direct from: 0x7FF7AA16B9D7 Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtClose: Direct from: 0x7FF75207C37B
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtQuerySystemInformation: Direct from: 0x7FF7AA114924 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtSetInformationFile: Direct from: 0x7FF7AA0F7A91 Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtProtectVirtualMemory: Direct from: 0x7FF752028FF0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtClose: Direct from: 0x7FF7AA16C200
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtClose: Direct from: 0x7FF75207FD06
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtUnmapViewOfSection: Direct from: 0x7FF7AA16C4BD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtQueryAttributesFile: Direct from: 0x7FF7AA16C1E1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtMapViewOfSection: Direct from: 0x7FF7AA16C508 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtOpenFile: Direct from: 0x7FF7AA16C37B Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr NtMapViewOfSection: Direct from: 0x7FF75207C4BD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtQueryInformationToken: Direct from: 0x7FF7AA183508 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com NtProtectVirtualMemory: Direct from: 0x7FF7AA0F83B5 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Memory written: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com base: 2453CA20000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Memory written: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr base: 14D5CA90000 value starts with: 4D5A Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Memory written: PID: 6504 base: 140000000 value: 4D Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Memory written: PID: 6504 base: 140001000 value: NU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Memory written: PID: 6504 base: 1406F5000 value: DF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Memory written: PID: 6504 base: 1408F6000 value: 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Memory written: PID: 6504 base: 11E1010 value: 00 Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Memory written: PID: 3524 base: 140000000 value: 4D Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Memory written: PID: 3524 base: 140001000 value: NU Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Memory written: PID: 3524 base: 1406F5000 value: DF Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Memory written: PID: 3524 base: 1408F6000 value: 00 Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Memory written: PID: 3524 base: C94010 value: 00 Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Thread register set: target process: 3640 Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Thread register set: target process: 4148 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Thread register set: target process: 6504 Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Thread register set: target process: 3524 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA0F3B64 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 17_2_00007FF7AA0F3B64
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA114364 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 17_2_00007FF7AA114364
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 29442 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Reynolds.com l Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process created: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" "C:\Users\user\AppData\Local\CyberSphere Dynamics\M" Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process created: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr "C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process created: C:\Windows\explorer.exe explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\CyberSphere Dynamics\ZeusChat.scr Process created: C:\Windows\explorer.exe explorer.exe Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\wendy + ..\psychiatry + ..\rid + ..\games + ..\norway + ..\matching + ..\jungle + ..\elliott + ..\jpg + ..\americans + ..\exhibits + ..\peeing + ..\typical + ..\innocent + ..\seafood + ..\nervous + ..\households + ..\ai + ..\hotel + ..\holdem + ..\drums + ..\carlo + ..\tm + ..\landscape + ..\resolutions + ..\def + ..\lambda + ..\biodiversity + ..\odds + ..\smithsonian + ..\blvd + ..\actual + ..\guy + ..\expert + ..\delaware + ..\eagle + ..\eugene + ..\exempt + ..\same + ..\ebooks + ..\individuals + ..\sucking + ..\chan + ..\turns + ..\satin + ..\dealing + ..\result + ..\through + ..\realized l
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process created: C:\Windows\System32\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url" & echo url="c:\users\user\appdata\local\cybersphere dynamics\zeuschat.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\wendy + ..\psychiatry + ..\rid + ..\games + ..\norway + ..\matching + ..\jungle + ..\elliott + ..\jpg + ..\americans + ..\exhibits + ..\peeing + ..\typical + ..\innocent + ..\seafood + ..\nervous + ..\households + ..\ai + ..\hotel + ..\holdem + ..\drums + ..\carlo + ..\tm + ..\landscape + ..\resolutions + ..\def + ..\lambda + ..\biodiversity + ..\odds + ..\smithsonian + ..\blvd + ..\actual + ..\guy + ..\expert + ..\delaware + ..\eagle + ..\eugene + ..\exempt + ..\same + ..\ebooks + ..\individuals + ..\sucking + ..\chan + ..\turns + ..\satin + ..\dealing + ..\result + ..\through + ..\realized l Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Process created: C:\Windows\System32\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url" & echo url="c:\users\user\appdata\local\cybersphere dynamics\zeuschat.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA15DB9C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 17_2_00007FF7AA15DB9C
Source: Reynolds.com, 0000000A.00000003.2079865873.000001A69AFF5000.00000004.00000001.00020000.00000000.sdmp, Reynolds.com, 0000000A.00000000.2066014740.00007FF7AA1C8000.00000002.00000001.01000000.00000007.sdmp, ZeusChat.scr, 00000010.00000000.2205059109.00007FF7520D8000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: conhost.exe, 00000013.00000002.3264667857.000001CAE0321000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: Reynolds.com, conhost.exe, 00000013.00000002.3264667857.000001CAE0321000.00000002.00000001.00040000.00000000.sdmp, ZeusChat.scr Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000013.00000002.3264667857.000001CAE0321000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: conhost.exe, 00000013.00000002.3264667857.000001CAE0321000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA12FBB0 cpuid 17_2_00007FF7AA12FBB0
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_000002453CA2A660 GetModuleHandleW,GetProcAddress,GetSystemTimeAsFileTime, 17_2_000002453CA2A660
Source: C:\Users\user\AppData\Local\Temp\29442\Reynolds.com Code function: 17_2_00007FF7AA1324E0 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 17_2_00007FF7AA1324E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406831
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561926 Sample: file.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 75 xmr-eu2.nanopool.org 2->75 77 DqnJUgbSFuO.DqnJUgbSFuO 2->77 91 Malicious sample detected (through community Yara rule) 2->91 93 Yara detected Xmrig cryptocurrency miner 2->93 95 Sigma detected: Search for Antivirus process 2->95 99 4 other signatures 2->99 11 file.exe 70 2->11         started        15 wscript.exe 1 2->15         started        signatures3 97 DNS related to crypt mining pools 75->97 process4 file5 67 C:\Users\user\AppData\Local\Tempbehaviorgraphuy, DOS 11->67 dropped 69 C:\Users\user\AppData\Local\Temp\Wendy, data 11->69 dropped 71 C:\Users\user\AppData\Local\Temp\Typical, data 11->71 dropped 73 46 other files (45 malicious) 11->73 dropped 117 Writes many files with high entropy 11->117 17 cmd.exe 3 11->17         started        119 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->119 21 ZeusChat.scr 15->21         started        signatures6 process7 file8 55 C:\Users\user\AppData\Local\...\Reynolds.com, PE32+ 17->55 dropped 81 Drops PE files with a suspicious file extension 17->81 83 Writes many files with high entropy 17->83 23 Reynolds.com 4 17->23         started        27 cmd.exe 2 17->27         started        29 conhost.exe 17->29         started        35 6 other processes 17->35 85 Modifies the context of a thread in another process (thread injection) 21->85 87 Injects a PE file into a foreign processes 21->87 89 Found direct / indirect Syscall (likely to bypass EDR) 21->89 31 ZeusChat.scr 21->31         started        33 ZeusChat.scr 21->33         started        signatures9 process10 file11 57 C:\Users\user\AppData\Local\...\ZeusChat.scr, PE32+ 23->57 dropped 59 C:\Users\user\AppData\Local\...\ZeusChat.js, ASCII 23->59 dropped 61 C:\Users\user\AppData\Local\...\M, data 23->61 dropped 107 Drops PE files with a suspicious file extension 23->107 109 Modifies the context of a thread in another process (thread injection) 23->109 111 Writes many files with high entropy 23->111 115 2 other signatures 23->115 37 Reynolds.com 23->37         started        40 cmd.exe 2 23->40         started        63 C:\Users\user\AppData\Local\Temp\29442\l, data 27->63 dropped 113 Injects code into the Windows Explorer (explorer.exe) 31->113 43 explorer.exe 1 31->43         started        signatures12 process13 file14 101 Injects code into the Windows Explorer (explorer.exe) 37->101 103 Modifies the context of a thread in another process (thread injection) 37->103 45 explorer.exe 1 37->45         started        65 C:\Users\user\AppData\...\ZeusChat.url, MS 40->65 dropped 49 conhost.exe 40->49         started        105 Found strings related to Crypto-Mining 43->105 51 conhost.exe 43->51         started        signatures15 process16 dnsIp17 79 xmr-eu2.nanopool.org 163.172.171.111, 10343, 49735 OnlineSASFR United Kingdom 45->79 121 System process connects to network (likely due to code injection or exploit) 45->121 53 conhost.exe 45->53         started        signatures18 process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
163.172.171.111
 xmr-eu2.nanopool.org United Kingdom
12876 OnlineSASFR false

Contacted Domains

Name IP Active
xmr-eu2.nanopool.org 163.172.171.111 true
DqnJUgbSFuO.DqnJUgbSFuO unknown unknown