c283c47e...528b

Severity	Category	Operation	Classification
4/5	Information Stealing	Reads application data	Spyware
Possibly trying to readout Filezilla credentials. ... VTI Actions Go to function call
3/5	Anti Analysis	Tries to detect application sandbox	-
Possibly trying to detect "Comodo Sandbox" by checking for existence of module "cmdvrt32.dll". ... VTI Actions Go to function call
Possibly trying to detect "Sandboxie" by checking for existence of module "SbieDll.dll". ... VTI Actions Go to function call
Possibly trying to detect "wine" by calling GetProcAddress() on "wine_get_version". ... VTI Actions Go to function call
3/5	Browser	Reads data related to saved browser credentials	-
Reads saved credentials for "Google Chrome". ... VTI Actions Go to function call
3/5	Browser	Reads data related to browser cookies	-
Reads Cookies for "Google Chrome". ... VTI Actions Go to function call
Accesses Cookies for "Google Chrome". ... VTI Actions Go to function call
3/5	Information Stealing	Reads cryptocurrency wallet locations	Spyware
Reads the location from a unspecific wallet ... VTI Actions Go to function call
2/5	Anti Analysis	Tries to detect debugger	-
Check via API "IsDebuggerPresent". ... VTI Actions Go to function call
2/5	Anti Analysis	Tries to detect virtual machine	-
Possibly trying to detect VirtualBox via registry "HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__". ... VTI Actions Go to function call
Reads out system information, commonly used to detect VMs via registry. (Value "SystemBiosVersion" in key "HKEY_LOCAL_MACHINE\Hardware\description\System"). ... VTI Actions Go to function call
Reads out system information, commonly used to detect VMs via registry. (Value "VideoBiosVersion" in key "HKEY_LOCAL_MACHINE\Hardware\description\System"). ... VTI Actions Go to function call
Possibly trying to detect VM via rdtsc. ... VTI Actions
2/5	Anti Analysis	Tries to detect a forensic tool	-
Searches for the window class "FilemonClass" that is related to a forensic tool. ... VTI Actions Go to function call
Searches for the window "File Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool. ... VTI Actions Go to function call
Searches for the window class "PROCMON_WINDOW_CLASS" that is related to a forensic tool. ... VTI Actions Go to function call
Searches for the window class "RegmonClass" that is related to a forensic tool. ... VTI Actions Go to function call
Searches for the window "Registry Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool. ... VTI Actions Go to function call
Searches for the window class "18467-41" that is related to a forensic tool. ... VTI Actions Go to function call
2/5	File System	Known suspicious file	Trojan
File "C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe" is a known suspicious file. ... VTI Actions Go to file details Go to function call
File "C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp" is a known suspicious file. ... VTI Actions Go to file details Go to function call
File "Zero_Two.tmp" is a known suspicious file. ... VTI Actions Go to file details Go to function call
1/5	Process	Creates process with hidden window	-
The process "C:\Windows\system32\cmd.exe /c Zero_Two.tmp" starts with hidden window. ... VTI Actions Go to function call
The process "C:\Windows\system32\cmd.exe /c C:\Users\CIiHmnxMn6Ps\AppData\Roaming\517847183.tmp" starts with hidden window. ... VTI Actions Go to function call
The process "schtasks.exe" starts with hidden window. ... VTI Actions Go to function call
1/5	Anti Analysis	Resolves APIs dynamically	-
Resolves an unusually high number of APIs. ... VTI Actions Go to function call
1/5	Network	Performs DNS request	-
Resolves host name "u2884418ra.ha002.t.justns.ru". ... VTI Actions Go to function call
Resolves host name "iplogger.org". ... VTI Actions Go to function call
1/5	Process	Creates system object	-
Creates mutex with name "f6a845a7-3909-486d-8d82-29892b2a38d4". ... VTI Actions Go to function call
1/5	Static	Unparsable sections in file	-
Static analyzer was unable to completely parse the analyzed file: C:\Users\CIiHmnxMn6Ps\Desktop\Mining.exe. ... VTI Actions Go to file details
1/5	Network	Connects to remote host	-
Outgoing TCP connection to host "88.99.66.31:443". ... VTI Actions Go to function call
Outgoing TCP connection to host "185.22.155.227:80". ... VTI Actions Go to function call
1/5	PE	Drops PE file	Dropper
Drops file "C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp". ... VTI Actions Go to file details Go to function call
Drops file "Zero_Two.tmp". ... VTI Actions Go to file details Go to function call
1/5	PE	Executes dropped PE file	-
Executes dropped file "C:\Users\CIIHMN~1\AppData\Local\Temp\autED97.tmp". ... VTI Actions Go to file details Go to function call
Executes dropped file "Zero_Two.tmp". ... VTI Actions Go to file details Go to function call
1/5	Persistence	Installs system service	-
Installs service "WinRun" by using the sc.exe utility. ... VTI Actions
Installs service "SystemUpdate" by using the sc.exe utility. ... VTI Actions

Notifications (1/1)

Before

After