Malware Analysis Report

2025-08-10 14:48

Sample ID 241025-yy98ks1rgs
Target PUB.rar
SHA256 5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017
Tags
miner xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017

Threat Level: Known bad

The file PUB.rar was found to be: Known bad.

Malicious Activity Summary

miner xmrig

XMRig Miner payload

Xmrig family

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 20:12

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10ltsc2021-20241023-en

Max time kernel

154s

Max time network

287s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1692 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/2144-0-0x0000012702DE0000-0x0000012702E00000-memory.dmp

memory/2144-1-0x0000012702E30000-0x0000012702E50000-memory.dmp

memory/2144-2-0x0000012704810000-0x0000012704830000-memory.dmp

memory/2144-3-0x00000127047F0000-0x0000012704810000-memory.dmp

memory/2144-4-0x0000012704810000-0x0000012704830000-memory.dmp

memory/2144-5-0x00000127047F0000-0x0000012704810000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10ltsc2021-20241023-en

Max time kernel

299s

Max time network

307s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 4684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4416 wrote to memory of 4684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp

Files

memory/4684-0-0x000001D68AF50000-0x000001D68AF70000-memory.dmp

memory/4684-1-0x000001D68AFA0000-0x000001D68AFC0000-memory.dmp

memory/4684-3-0x000001D68C990000-0x000001D68C9B0000-memory.dmp

memory/4684-2-0x000001D68C9B0000-0x000001D68C9D0000-memory.dmp

memory/4684-4-0x000001D68C9B0000-0x000001D68C9D0000-memory.dmp

memory/4684-5-0x000001D68C990000-0x000001D68C9B0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10v2004-20241007-en

Max time kernel

188s

Max time network

209s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3156-0-0x0000018B456E0000-0x0000018B45700000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10v2004-20241007-en

Max time kernel

191s

Max time network

292s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2944 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4960-0-0x000001DB65110000-0x000001DB65130000-memory.dmp

memory/4960-1-0x000001DB66A50000-0x000001DB66A70000-memory.dmp

memory/4960-2-0x000001DB66A70000-0x000001DB66A90000-memory.dmp

memory/4960-3-0x000001DB66A90000-0x000001DB66AB0000-memory.dmp

memory/4960-5-0x000001DB66A90000-0x000001DB66AB0000-memory.dmp

memory/4960-4-0x000001DB66A70000-0x000001DB66A90000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10v2004-20241007-en

Max time kernel

214s

Max time network

287s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2544 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 195.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp

Files

memory/5028-0-0x0000029224E80000-0x0000029224EA0000-memory.dmp

memory/5028-1-0x0000029224ED0000-0x0000029224EF0000-memory.dmp

memory/5028-3-0x0000029224F10000-0x0000029224F30000-memory.dmp

memory/5028-2-0x0000029224EF0000-0x0000029224F10000-memory.dmp

memory/5028-5-0x0000029224F10000-0x0000029224F30000-memory.dmp

memory/5028-4-0x0000029224EF0000-0x0000029224F10000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

279s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4688 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4688 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/1764-0-0x000001EDA2AD0000-0x000001EDA2AF0000-memory.dmp

memory/1764-1-0x000001EDA2B20000-0x000001EDA2B40000-memory.dmp

memory/1764-2-0x000001EDA2B40000-0x000001EDA2B60000-memory.dmp

memory/1764-3-0x000001EDA2B60000-0x000001EDA2B80000-memory.dmp

memory/1764-4-0x000001EDA2B40000-0x000001EDA2B60000-memory.dmp

memory/1764-5-0x000001EDA2B60000-0x000001EDA2B80000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

307s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2504 wrote to memory of 796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp

Files

memory/796-0-0x00000231334B0000-0x00000231334D0000-memory.dmp

memory/796-1-0x00000231C5640000-0x00000231C5660000-memory.dmp

memory/796-3-0x00000231C5CB0000-0x00000231C5CD0000-memory.dmp

memory/796-2-0x00000231C5A80000-0x00000231C5AA0000-memory.dmp

memory/796-4-0x00000231C5A80000-0x00000231C5AA0000-memory.dmp

memory/796-5-0x00000231C5CB0000-0x00000231C5CD0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10ltsc2021-20241023-en

Max time kernel

299s

Max time network

308s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4756 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4756 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp

Files

memory/2040-0-0x0000023338910000-0x0000023338930000-memory.dmp

memory/2040-1-0x000002333A300000-0x000002333A320000-memory.dmp

memory/2040-3-0x000002333A340000-0x000002333A360000-memory.dmp

memory/2040-2-0x000002333A320000-0x000002333A340000-memory.dmp

memory/2040-5-0x000002333A340000-0x000002333A360000-memory.dmp

memory/2040-4-0x000002333A320000-0x000002333A340000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

288s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3404 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3404 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3840-0-0x000001C647C40000-0x000001C647C60000-memory.dmp

memory/3840-1-0x000001C647C80000-0x000001C647CA0000-memory.dmp

memory/3840-3-0x000001C647CC0000-0x000001C647CE0000-memory.dmp

memory/3840-2-0x000001C647CA0000-0x000001C647CC0000-memory.dmp

memory/3840-5-0x000001C647CC0000-0x000001C647CE0000-memory.dmp

memory/3840-4-0x000001C647CA0000-0x000001C647CC0000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

278s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4544 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4544 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/1044-0-0x000001C665810000-0x000001C665830000-memory.dmp

memory/1044-1-0x000001C665850000-0x000001C665870000-memory.dmp

memory/1044-2-0x000001C665870000-0x000001C665890000-memory.dmp

memory/1044-3-0x000001C665890000-0x000001C6658B0000-memory.dmp

memory/1044-4-0x000001C665870000-0x000001C665890000-memory.dmp

memory/1044-5-0x000001C665890000-0x000001C6658B0000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10v2004-20241007-en

Max time kernel

102s

Max time network

297s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2348 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4520-0-0x000001B3A2120000-0x000001B3A2140000-memory.dmp

memory/4520-1-0x000001B3A2180000-0x000001B3A21A0000-memory.dmp

memory/4520-3-0x000001B3A21C0000-0x000001B3A21E0000-memory.dmp

memory/4520-2-0x000001B3A21A0000-0x000001B3A21C0000-memory.dmp

memory/4520-4-0x000001B3A21A0000-0x000001B3A21C0000-memory.dmp

memory/4520-5-0x000001B3A21C0000-0x000001B3A21E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10ltsc2021-20241023-en

Max time kernel

101s

Max time network

216s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4964-0-0x0000022FCA4C0000-0x0000022FCA4E0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

275s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3292 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 195.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp

Files

memory/3672-0-0x000002434CA20000-0x000002434CA40000-memory.dmp

memory/3672-1-0x000002434CA60000-0x000002434CA80000-memory.dmp

memory/3672-2-0x000002434CA90000-0x000002434CAB0000-memory.dmp

memory/3672-3-0x000002434CAB0000-0x000002434CAD0000-memory.dmp

memory/3672-4-0x000002434CA90000-0x000002434CAB0000-memory.dmp

memory/3672-5-0x000002434CAB0000-0x000002434CAD0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

284s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2088 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/3276-0-0x000001AF26DD0000-0x000001AF26DF0000-memory.dmp

memory/3276-1-0x000001AF287D0000-0x000001AF287F0000-memory.dmp

memory/3276-2-0x000001AF28810000-0x000001AF28830000-memory.dmp

memory/3276-3-0x000001AF287F0000-0x000001AF28810000-memory.dmp

memory/3276-5-0x000001AF287F0000-0x000001AF28810000-memory.dmp

memory/3276-4-0x000001AF28810000-0x000001AF28830000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

292s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4840 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4840 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4868-0-0x00000282E3080000-0x00000282E30A0000-memory.dmp

memory/4868-1-0x00000282E4A80000-0x00000282E4AA0000-memory.dmp

memory/4868-2-0x00000282E4AA0000-0x00000282E4AC0000-memory.dmp

memory/4868-3-0x00000282E4AC0000-0x00000282E4AE0000-memory.dmp

memory/4868-4-0x00000282E4AA0000-0x00000282E4AC0000-memory.dmp

memory/4868-5-0x00000282E4AC0000-0x00000282E4AE0000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10ltsc2021-20241023-en

Max time kernel

101s

Max time network

276s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 416 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 416 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1836-0-0x000002705A850000-0x000002705A870000-memory.dmp

memory/1836-1-0x000002705C240000-0x000002705C260000-memory.dmp

memory/1836-3-0x000002705C280000-0x000002705C2A0000-memory.dmp

memory/1836-2-0x000002705C260000-0x000002705C280000-memory.dmp

memory/1836-4-0x000002705C260000-0x000002705C280000-memory.dmp

memory/1836-5-0x000002705C280000-0x000002705C2A0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10v2004-20241007-en

Max time kernel

154s

Max time network

276s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3876 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3876 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/4756-0-0x000001E719A00000-0x000001E719A20000-memory.dmp

memory/4756-1-0x000001E719BA0000-0x000001E719BC0000-memory.dmp

memory/4756-2-0x000001E719BC0000-0x000001E719BE0000-memory.dmp

memory/4756-3-0x000001E719BE0000-0x000001E719C00000-memory.dmp

memory/4756-4-0x000001E719BC0000-0x000001E719BE0000-memory.dmp

memory/4756-5-0x000001E719BE0000-0x000001E719C00000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

309s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4692 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 195.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3444-0-0x0000017675460000-0x0000017675480000-memory.dmp

memory/3444-1-0x0000017676D50000-0x0000017676D70000-memory.dmp

memory/3444-2-0x0000017676D90000-0x0000017676DB0000-memory.dmp

memory/3444-3-0x0000017676D70000-0x0000017676D90000-memory.dmp

memory/3444-4-0x0000017676D90000-0x0000017676DB0000-memory.dmp

memory/3444-5-0x0000017676D70000-0x0000017676D90000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

276s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 432 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1096 wrote to memory of 432 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp

Files

memory/432-0-0x0000028F1D460000-0x0000028F1D480000-memory.dmp

memory/432-1-0x0000028F1D4C0000-0x0000028F1D4E0000-memory.dmp

memory/432-2-0x0000028F1D4E0000-0x0000028F1D500000-memory.dmp

memory/432-3-0x0000028F1D500000-0x0000028F1D520000-memory.dmp

memory/432-4-0x0000028F1D4E0000-0x0000028F1D500000-memory.dmp

memory/432-5-0x0000028F1D500000-0x0000028F1D520000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

301s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2172 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/1744-0-0x000002B6F9550000-0x000002B6F9570000-memory.dmp

memory/1744-1-0x000002B6FAE50000-0x000002B6FAE70000-memory.dmp

memory/1744-3-0x000002B6FAE90000-0x000002B6FAEB0000-memory.dmp

memory/1744-2-0x000002B6FAE70000-0x000002B6FAE90000-memory.dmp

memory/1744-4-0x000002B6FAE70000-0x000002B6FAE90000-memory.dmp

memory/1744-5-0x000002B6FAE90000-0x000002B6FAEB0000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

279s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1556 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 195.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/1992-0-0x000002A66A340000-0x000002A66A360000-memory.dmp

memory/1992-1-0x000002A66BC30000-0x000002A66BC50000-memory.dmp

memory/1992-3-0x000002A66BC70000-0x000002A66BC90000-memory.dmp

memory/1992-2-0x000002A66BC50000-0x000002A66BC70000-memory.dmp

memory/1992-4-0x000002A66BC50000-0x000002A66BC70000-memory.dmp

memory/1992-5-0x000002A66BC70000-0x000002A66BC90000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-25 20:12

Reported

2024-10-25 20:18

Platform

win10ltsc2021-20241023-en

Max time kernel

299s

Max time network

307s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3064 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp

Files

memory/3664-0-0x0000013287D70000-0x0000013287D90000-memory.dmp

memory/3664-1-0x000001331B800000-0x000001331B820000-memory.dmp

memory/3664-3-0x000001331BE90000-0x000001331BEB0000-memory.dmp

memory/3664-2-0x000001331BE70000-0x000001331BE90000-memory.dmp

memory/3664-5-0x000001331BE90000-0x000001331BEB0000-memory.dmp

memory/3664-4-0x000001331BE70000-0x000001331BE90000-memory.dmp