Malware Analysis Report

2025-08-10 14:48

Sample ID 241025-yymghs1nhj
Target PUB.rar
SHA256 5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017
Tags
miner xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b06e18380c2c8261419a482e5d54b189bbe9b0feaccd355c3cb1bc4aaedd017

Threat Level: Known bad

The file PUB.rar was found to be: Known bad.

Malicious Activity Summary

miner xmrig

XMRig Miner payload

Xmrig family

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 20:11

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:50

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

284s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2192 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/2220-0-0x000001E5BF7C0000-0x000001E5BF7E0000-memory.dmp

memory/2220-1-0x000001E5C1200000-0x000001E5C1220000-memory.dmp

memory/2220-2-0x000001E5C1220000-0x000001E5C1240000-memory.dmp

memory/2220-3-0x000001E5C1240000-0x000001E5C1260000-memory.dmp

memory/2220-4-0x000001E5C1220000-0x000001E5C1240000-memory.dmp

memory/2220-5-0x000001E5C1240000-0x000001E5C1260000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

298s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1036 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 1036 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 20.223.36.55:443 tcp

Files

memory/4428-0-0x0000021CFD710000-0x0000021CFD730000-memory.dmp

memory/4428-1-0x0000021CFF000000-0x0000021CFF020000-memory.dmp

memory/4428-3-0x0000021CFF040000-0x0000021CFF060000-memory.dmp

memory/4428-2-0x0000021CFF020000-0x0000021CFF040000-memory.dmp

memory/4428-4-0x0000021CFF020000-0x0000021CFF040000-memory.dmp

memory/4428-5-0x0000021CFF040000-0x0000021CFF060000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

288s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2960 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/4516-0-0x00000215F88A0000-0x00000215F88C0000-memory.dmp

memory/4516-1-0x00000215F88E0000-0x00000215F8900000-memory.dmp

memory/4516-2-0x000002168AE70000-0x000002168AE90000-memory.dmp

memory/4516-3-0x000002168B0A0000-0x000002168B0C0000-memory.dmp

memory/4516-4-0x000002168AE70000-0x000002168AE90000-memory.dmp

memory/4516-5-0x000002168B0A0000-0x000002168B0C0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:50

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

284s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2920 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/1124-0-0x000001348FFF0000-0x0000013490010000-memory.dmp

memory/1124-1-0x0000013491A30000-0x0000013491A50000-memory.dmp

memory/1124-3-0x00000135240D0000-0x00000135240F0000-memory.dmp

memory/1124-2-0x0000013491A50000-0x0000013491A70000-memory.dmp

memory/1124-4-0x0000013491A50000-0x0000013491A70000-memory.dmp

memory/1124-5-0x00000135240D0000-0x00000135240F0000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

284s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2392 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/3292-0-0x000001B7BB680000-0x000001B7BB6A0000-memory.dmp

memory/3292-1-0x000001B7BB6D0000-0x000001B7BB6F0000-memory.dmp

memory/3292-2-0x000001B7BB6F0000-0x000001B7BB710000-memory.dmp

memory/3292-3-0x000001B7BB710000-0x000001B7BB730000-memory.dmp

memory/3292-4-0x000001B7BB6F0000-0x000001B7BB710000-memory.dmp

memory/3292-5-0x000001B7BB710000-0x000001B7BB730000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

293s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 628 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/3292-0-0x000002B246560000-0x000002B246580000-memory.dmp

memory/3292-1-0x000002B2465A0000-0x000002B2465C0000-memory.dmp

memory/3292-3-0x000002B2465F0000-0x000002B246610000-memory.dmp

memory/3292-2-0x000002B2465D0000-0x000002B2465F0000-memory.dmp

memory/3292-5-0x000002B2465F0000-0x000002B246610000-memory.dmp

memory/3292-4-0x000002B2465D0000-0x000002B2465F0000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

302s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3220 wrote to memory of 4264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3220 wrote to memory of 4264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (9).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.31.169.57:443 fd.api.iris.microsoft.com tcp

Files

memory/4264-0-0x000001FC49C90000-0x000001FC49CB0000-memory.dmp

memory/4264-1-0x000001FC4B6C0000-0x000001FC4B6E0000-memory.dmp

memory/4264-3-0x000001FCDDD80000-0x000001FCDDDA0000-memory.dmp

memory/4264-2-0x000001FC4B6E0000-0x000001FC4B700000-memory.dmp

memory/4264-4-0x000001FC4B6E0000-0x000001FC4B700000-memory.dmp

memory/4264-5-0x000001FCDDD80000-0x000001FCDDDA0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

291s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3784 wrote to memory of 4064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3784 wrote to memory of 4064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (5).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 20.31.169.57:443 tcp

Files

memory/4064-0-0x0000018D76A60000-0x0000018D76A80000-memory.dmp

memory/4064-1-0x0000018E08BF0000-0x0000018E08C10000-memory.dmp

memory/4064-2-0x0000018E09030000-0x0000018E09050000-memory.dmp

memory/4064-3-0x0000018E09260000-0x0000018E09280000-memory.dmp

memory/4064-4-0x0000018E09030000-0x0000018E09050000-memory.dmp

memory/4064-5-0x0000018E09260000-0x0000018E09280000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

284s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 544 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 544 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp

Files

memory/3616-0-0x0000022CF5F00000-0x0000022CF5F20000-memory.dmp

memory/3616-1-0x0000022CF5F40000-0x0000022CF5F60000-memory.dmp

memory/3616-2-0x0000022CF5F60000-0x0000022CF5F80000-memory.dmp

memory/3616-3-0x0000022D88700000-0x0000022D88720000-memory.dmp

memory/3616-5-0x0000022D88700000-0x0000022D88720000-memory.dmp

memory/3616-4-0x0000022CF5F60000-0x0000022CF5F80000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

288s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 5084 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 20.223.36.55:443 tcp
US 8.8.8.8:53 udp
N/A 192.229.221.95:80 tcp

Files

memory/876-0-0x00000273B2DC0000-0x00000273B2DE0000-memory.dmp

memory/876-1-0x00000273B2E00000-0x00000273B2E20000-memory.dmp

memory/876-3-0x00000273B2E40000-0x00000273B2E60000-memory.dmp

memory/876-2-0x00000273B2E20000-0x00000273B2E40000-memory.dmp

memory/876-4-0x00000273B2E20000-0x00000273B2E40000-memory.dmp

memory/876-5-0x00000273B2E40000-0x00000273B2E60000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

278s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

memory/4976-0-0x000001DF07140000-0x000001DF07160000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10ltsc2021-20241023-en

Max time kernel

154s

Max time network

284s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.31.169.57:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

memory/992-0-0x0000020716380000-0x00000207163A0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:50

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

293s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2172 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3624-0-0x00000234455E0000-0x0000023445600000-memory.dmp

memory/3624-1-0x0000023445630000-0x0000023445650000-memory.dmp

memory/3624-3-0x0000023445670000-0x0000023445690000-memory.dmp

memory/3624-2-0x0000023445650000-0x0000023445670000-memory.dmp

memory/3624-5-0x0000023445670000-0x0000023445690000-memory.dmp

memory/3624-4-0x0000023445650000-0x0000023445670000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

284s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 548 wrote to memory of 4056 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 548 wrote to memory of 4056 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (4).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/4056-0-0x0000027D34E30000-0x0000027D34E50000-memory.dmp

memory/4056-1-0x0000027D34E70000-0x0000027D34E90000-memory.dmp

memory/4056-2-0x0000027D34E90000-0x0000027D34EB0000-memory.dmp

memory/4056-3-0x0000027D34EB0000-0x0000027D34ED0000-memory.dmp

memory/4056-4-0x0000027D34E90000-0x0000027D34EB0000-memory.dmp

memory/4056-5-0x0000027D34EB0000-0x0000027D34ED0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

284s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 5068 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/832-0-0x00000209D7D60000-0x00000209D7D80000-memory.dmp

memory/832-1-0x00000209D9880000-0x00000209D98A0000-memory.dmp

memory/832-2-0x00000209D98A0000-0x00000209D98C0000-memory.dmp

memory/832-3-0x00000209D98C0000-0x00000209D98E0000-memory.dmp

memory/832-5-0x00000209D98C0000-0x00000209D98E0000-memory.dmp

memory/832-4-0x00000209D98A0000-0x00000209D98C0000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

309s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2088 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (6).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp

Files

memory/2144-0-0x000001BAC89D0000-0x000001BAC89F0000-memory.dmp

memory/2144-1-0x000001BAC8A20000-0x000001BAC8A40000-memory.dmp

memory/2144-3-0x000001BAC8A60000-0x000001BAC8A80000-memory.dmp

memory/2144-2-0x000001BAC8A40000-0x000001BAC8A60000-memory.dmp

memory/2144-4-0x000001BAC8A40000-0x000001BAC8A60000-memory.dmp

memory/2144-5-0x000001BAC8A60000-0x000001BAC8A80000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

297s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 3452 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (8).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

memory/1464-0-0x0000023B57260000-0x0000023B57280000-memory.dmp

memory/1464-1-0x0000023B572B0000-0x0000023B572D0000-memory.dmp

memory/1464-2-0x0000023B572F0000-0x0000023B57310000-memory.dmp

memory/1464-3-0x0000023B572D0000-0x0000023B572F0000-memory.dmp

memory/1464-5-0x0000023B572D0000-0x0000023B572F0000-memory.dmp

memory/1464-4-0x0000023B572F0000-0x0000023B57310000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

284s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4644 wrote to memory of 3712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 4644 wrote to memory of 3712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.244.104:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 104.244.204.15.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3712-0-0x000002B9EC560000-0x000002B9EC580000-memory.dmp

memory/3712-1-0x000002B9EDF50000-0x000002B9EDF70000-memory.dmp

memory/3712-2-0x000002B9EDF90000-0x000002B9EDFB0000-memory.dmp

memory/3712-3-0x000002B9EDF70000-0x000002B9EDF90000-memory.dmp

memory/3712-4-0x000002B9EDF90000-0x000002B9EDFB0000-memory.dmp

memory/3712-5-0x000002B9EDF70000-0x000002B9EDF90000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:50

Platform

win10ltsc2021-20241023-en

Max time kernel

300s

Max time network

301s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5684 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 5684 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (3).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.31.169.57:443 fd.api.iris.microsoft.com tcp

Files

memory/1580-0-0x000001A1EABD0000-0x000001A1EABF0000-memory.dmp

memory/1580-1-0x000001A1EC500000-0x000001A1EC520000-memory.dmp

memory/1580-2-0x000001A1EC550000-0x000001A1EC570000-memory.dmp

memory/1580-3-0x000001A1EC530000-0x000001A1EC550000-memory.dmp

memory/1580-5-0x000001A1EC530000-0x000001A1EC550000-memory.dmp

memory/1580-4-0x000001A1EC550000-0x000001A1EC570000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:50

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

297s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2340 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (7).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/708-0-0x000002E5DF7E0000-0x000002E5DF800000-memory.dmp

memory/708-1-0x000002E5E10D0000-0x000002E5E10F0000-memory.dmp

memory/708-3-0x000002E5E1110000-0x000002E5E1130000-memory.dmp

memory/708-2-0x000002E5E10F0000-0x000002E5E1110000-memory.dmp

memory/708-5-0x000002E5E1110000-0x000002E5E1130000-memory.dmp

memory/708-4-0x000002E5E10F0000-0x000002E5E1110000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

284s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2796 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr.bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/4996-0-0x000001C9CDB90000-0x000001C9CDBB0000-memory.dmp

memory/4996-1-0x000001C9CF5A0000-0x000001C9CF5C0000-memory.dmp

memory/4996-3-0x000001C9CF5E0000-0x000001C9CF600000-memory.dmp

memory/4996-2-0x000001C9CF5C0000-0x000001C9CF5E0000-memory.dmp

memory/4996-4-0x000001C9CF5C0000-0x000001C9CF5E0000-memory.dmp

memory/4996-5-0x000001C9CF5E0000-0x000001C9CF600000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-25 20:11

Reported

2024-10-26 01:51

Platform

win10ltsc2021-20241023-en

Max time kernel

155s

Max time network

294s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe
PID 2940 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PUB\zephyr - Copie (2).bat"

C:\Users\Admin\AppData\Local\Temp\PUB\xmrig.exe

xmrig.exe -o us-zephyr.miningocean.org:5332 -u ZEPHYR2c1KpUmMcFb1DgEejg8bgrit4x9L8TUEk2e7B7gbtwtHDVyKCUZEzu4zQMnGjgZjJZES6wnefC6FgLJeyL6Ahz2SsWsoK1Y -p scall -a rx/0 -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 us-zephyr.miningocean.org udp
US 15.204.240.197:5332 us-zephyr.miningocean.org tcp
US 8.8.8.8:53 197.240.204.15.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

memory/3700-0-0x000001DCF7180000-0x000001DCF71A0000-memory.dmp

memory/3700-1-0x000001DCF72C0000-0x000001DCF72E0000-memory.dmp

memory/3700-2-0x000001DCF72E0000-0x000001DCF7300000-memory.dmp

memory/3700-3-0x000001DCF7310000-0x000001DCF7330000-memory.dmp

memory/3700-4-0x000001DCF72E0000-0x000001DCF7300000-memory.dmp

memory/3700-5-0x000001DCF7310000-0x000001DCF7330000-memory.dmp