Analysis Overview
SHA256
cedef524b310863d014742266add69204464f9ef7b5daac8b8253160195bc66b
Threat Level: Known bad
The file Triage.zip was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
XMRig Miner payload
Suspicious use of SetThreadContext
UPX packed file
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-13 10:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:33
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1802s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3796 set thread context of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3796 wrote to memory of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3796 wrote to memory of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3796 wrote to memory of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3796 wrote to memory of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3796 wrote to memory of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 103.232.37.54.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4292-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-8-0x0000000000BD0000-0x0000000000BF0000-memory.dmp
memory/4292-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-16-0x0000000000C80000-0x0000000000CA0000-memory.dmp
memory/4292-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4292-21-0x00000000130E0000-0x0000000013100000-memory.dmp
memory/4292-22-0x0000000013310000-0x0000000013330000-memory.dmp
memory/4292-23-0x00000000130E0000-0x0000000013100000-memory.dmp
memory/4292-24-0x0000000013310000-0x0000000013330000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:38
Platform
win7-20241010-en
Max time kernel
1550s
Max time network
1805s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2220 set thread context of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2220 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2220 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2220 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 2220 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2568-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2568-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-17-0x0000000000190000-0x00000000001B0000-memory.dmp
memory/2568-18-0x00000000002C0000-0x00000000002E0000-memory.dmp
memory/2568-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2568-20-0x0000000000190000-0x00000000001B0000-memory.dmp
memory/2568-21-0x00000000002C0000-0x00000000002E0000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:38
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1794s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3968 set thread context of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3968 wrote to memory of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3968 wrote to memory of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3968 wrote to memory of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3968 wrote to memory of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 3968 wrote to memory of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 163.172.154.142:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 142.154.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4668-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-8-0x0000000000910000-0x0000000000930000-memory.dmp
memory/4668-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-16-0x0000000000930000-0x0000000000950000-memory.dmp
memory/4668-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4668-22-0x0000000013240000-0x0000000013260000-memory.dmp
memory/4668-21-0x0000000013010000-0x0000000013030000-memory.dmp
memory/4668-24-0x0000000013240000-0x0000000013260000-memory.dmp
memory/4668-23-0x0000000013010000-0x0000000013030000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:08
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1798s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 456 set thread context of 4652 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 456 wrote to memory of 4652 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 456 wrote to memory of 4652 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 456 wrote to memory of 4652 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 456 wrote to memory of 4652 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 456 wrote to memory of 4652 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 163.172.154.142:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 142.154.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.208.201.84.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4652-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-8-0x0000000000CA0000-0x0000000000CC0000-memory.dmp
memory/4652-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-16-0x0000000002460000-0x0000000002480000-memory.dmp
memory/4652-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4652-21-0x0000000013010000-0x0000000013030000-memory.dmp
memory/4652-22-0x0000000013240000-0x0000000013260000-memory.dmp
memory/4652-23-0x0000000013010000-0x0000000013030000-memory.dmp
memory/4652-24-0x0000000013240000-0x0000000013260000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 11:12
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1795s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4808 set thread context of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4808 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4808 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4808 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4808 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4808 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.232.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1900-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-8-0x0000000000A40000-0x0000000000A60000-memory.dmp
memory/1900-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-16-0x0000000000DD0000-0x0000000000DF0000-memory.dmp
memory/1900-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1900-21-0x0000000013240000-0x0000000013260000-memory.dmp
memory/1900-22-0x0000000013470000-0x0000000013490000-memory.dmp
memory/1900-24-0x0000000013470000-0x0000000013490000-memory.dmp
memory/1900-23-0x0000000013240000-0x0000000013260000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 11:12
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1795s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5036 set thread context of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5036 wrote to memory of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 5036 wrote to memory of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 5036 wrote to memory of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 5036 wrote to memory of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 5036 wrote to memory of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3204-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-8-0x0000000000980000-0x00000000009A0000-memory.dmp
memory/3204-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-16-0x00000000009B0000-0x00000000009D0000-memory.dmp
memory/3204-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-21-0x0000000012E90000-0x0000000012EB0000-memory.dmp
memory/3204-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3204-22-0x00000000130C0000-0x00000000130E0000-memory.dmp
memory/3204-23-0x0000000012E90000-0x0000000012EB0000-memory.dmp
memory/3204-24-0x00000000130C0000-0x00000000130E0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:13
Platform
win11-20241007-en
Max time kernel
1798s
Max time network
1795s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1244 set thread context of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1244 wrote to memory of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1244 wrote to memory of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1244 wrote to memory of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1244 wrote to memory of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 1244 wrote to memory of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/652-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-8-0x0000000001620000-0x0000000001640000-memory.dmp
memory/652-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-16-0x00000000016C0000-0x00000000016E0000-memory.dmp
memory/652-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/652-21-0x0000000013B10000-0x0000000013B30000-memory.dmp
memory/652-22-0x0000000013D40000-0x0000000013D60000-memory.dmp
memory/652-23-0x0000000013B10000-0x0000000013B30000-memory.dmp
memory/652-24-0x0000000013D40000-0x0000000013D60000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:38
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1796s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4400 set thread context of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4400 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4400 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4400 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4400 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4400 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 72.239.69.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4796-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-8-0x00000000028D0000-0x00000000028F0000-memory.dmp
memory/4796-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-16-0x0000000012FF0000-0x0000000013010000-memory.dmp
memory/4796-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4796-21-0x0000000013530000-0x0000000013550000-memory.dmp
memory/4796-22-0x0000000013760000-0x0000000013780000-memory.dmp
memory/4796-23-0x0000000013530000-0x0000000013550000-memory.dmp
memory/4796-24-0x0000000013760000-0x0000000013780000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:38
Platform
win7-20240708-en
Max time kernel
1799s
Max time network
1794s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2664 set thread context of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2664 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2664 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2664 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2664 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 2664 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2676-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-8-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2676-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-16-0x00000000021F0000-0x0000000002210000-memory.dmp
memory/2676-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2676-17-0x0000000002220000-0x0000000002240000-memory.dmp
memory/2676-18-0x00000000021F0000-0x0000000002210000-memory.dmp
memory/2676-19-0x0000000002220000-0x0000000002240000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:38
Platform
win11-20241007-en
Max time kernel
1798s
Max time network
1792s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1472 set thread context of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1472 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1472 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1472 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1472 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1472 wrote to memory of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 124.253.47.212.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2892-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-8-0x00000000004A0000-0x00000000004C0000-memory.dmp
memory/2892-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-16-0x00000000004D0000-0x00000000004F0000-memory.dmp
memory/2892-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-20-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2892-21-0x0000000002240000-0x0000000002260000-memory.dmp
memory/2892-22-0x0000000002260000-0x0000000002280000-memory.dmp
memory/2892-23-0x0000000002240000-0x0000000002260000-memory.dmp
memory/2892-24-0x0000000002260000-0x0000000002280000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 11:12
Platform
win7-20240708-en
Max time kernel
1800s
Max time network
1795s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2848 set thread context of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2848 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2848 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2848 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2848 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2848 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2148-8-0x00000000001C0000-0x00000000001E0000-memory.dmp
memory/2148-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2148-16-0x00000000FFEF0000-0x00000001001B0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:13
Platform
win11-20241023-en
Max time kernel
1799s
Max time network
1796s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2344 set thread context of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2344 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2344 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2344 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2344 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 2344 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 162.19.224.121:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4584-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-8-0x0000000000CD0000-0x0000000000CF0000-memory.dmp
memory/4584-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-16-0x0000000000D00000-0x0000000000D20000-memory.dmp
memory/4584-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4584-21-0x0000000002890000-0x00000000028B0000-memory.dmp
memory/4584-22-0x00000000028B0000-0x00000000028D0000-memory.dmp
memory/4584-23-0x0000000002890000-0x00000000028B0000-memory.dmp
memory/4584-24-0x00000000028B0000-0x00000000028D0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:28
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1801s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3436 set thread context of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3436 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3436 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3436 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3436 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3436 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.31.169.57:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1736-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-8-0x0000000000E80000-0x0000000000EA0000-memory.dmp
memory/1736-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-16-0x0000000000F00000-0x0000000000F20000-memory.dmp
memory/1736-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-21-0x0000000002B40000-0x0000000002B60000-memory.dmp
memory/1736-22-0x0000000002B60000-0x0000000002B80000-memory.dmp
memory/1736-23-0x0000000002B40000-0x0000000002B60000-memory.dmp
memory/1736-24-0x0000000002B60000-0x0000000002B80000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:38
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1795s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4476 set thread context of 64 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4476 wrote to memory of 64 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4476 wrote to memory of 64 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4476 wrote to memory of 64 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4476 wrote to memory of 64 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 4476 wrote to memory of 64 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/64-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-8-0x0000000000500000-0x0000000000520000-memory.dmp
memory/64-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-16-0x00000000009B0000-0x00000000009D0000-memory.dmp
memory/64-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/64-22-0x0000000012F00000-0x0000000012F20000-memory.dmp
memory/64-21-0x0000000012CD0000-0x0000000012CF0000-memory.dmp
memory/64-24-0x0000000012F00000-0x0000000012F20000-memory.dmp
memory/64-23-0x0000000012CD0000-0x0000000012CF0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 11:12
Platform
win11-20241007-en
Max time kernel
1800s
Max time network
1803s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4228 set thread context of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4228 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4228 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4228 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4228 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 4228 wrote to memory of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 162.19.224.121:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4420-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-8-0x0000000001310000-0x0000000001330000-memory.dmp
memory/4420-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-16-0x0000000001340000-0x0000000001360000-memory.dmp
memory/4420-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4420-22-0x00000000016C0000-0x00000000016E0000-memory.dmp
memory/4420-21-0x00000000016A0000-0x00000000016C0000-memory.dmp
memory/4420-23-0x00000000016A0000-0x00000000016C0000-memory.dmp
memory/4420-24-0x00000000016C0000-0x00000000016E0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 11:12
Platform
win10v2004-20241007-en
Max time kernel
1800s
Max time network
1805s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 864 set thread context of 424 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 864 wrote to memory of 424 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 864 wrote to memory of 424 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 864 wrote to memory of 424 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 864 wrote to memory of 424 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 864 wrote to memory of 424 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| NL | 51.15.58.224:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.58.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 49.192.11.51.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/424-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-8-0x00000000012C0000-0x00000000012E0000-memory.dmp
memory/424-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-16-0x0000000001610000-0x0000000001630000-memory.dmp
memory/424-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/424-22-0x0000000013CD0000-0x0000000013CF0000-memory.dmp
memory/424-21-0x00000000016C0000-0x00000000016E0000-memory.dmp
memory/424-23-0x00000000016C0000-0x00000000016E0000-memory.dmp
memory/424-24-0x0000000013CD0000-0x0000000013CF0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 11:12
Platform
win7-20241010-en
Max time kernel
248s
Max time network
1805s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1688 set thread context of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1688 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 1688 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 1688 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 1688 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 1688 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3000-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-8-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/3000-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-15-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-17-0x0000000001C00000-0x0000000001C20000-memory.dmp
memory/3000-18-0x0000000001CA0000-0x0000000001CC0000-memory.dmp
memory/3000-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3000-20-0x0000000001C00000-0x0000000001C20000-memory.dmp
memory/3000-21-0x0000000001CA0000-0x0000000001CC0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:08
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1807s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3048 set thread context of 32 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 32 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3048 wrote to memory of 32 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3048 wrote to memory of 32 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3048 wrote to memory of 32 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
| PID 3048 wrote to memory of 32 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test2.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| FR | 212.47.253.124:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.253.47.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/32-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-8-0x0000000002550000-0x0000000002570000-memory.dmp
memory/32-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-16-0x0000000012C50000-0x0000000012C70000-memory.dmp
memory/32-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/32-21-0x00000000131A0000-0x00000000131C0000-memory.dmp
memory/32-22-0x00000000133D0000-0x00000000133F0000-memory.dmp
memory/32-23-0x00000000131A0000-0x00000000131C0000-memory.dmp
memory/32-24-0x00000000133D0000-0x00000000133F0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:13
Platform
win7-20240708-en
Max time kernel
311s
Max time network
1796s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2412 set thread context of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2412 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2412 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2412 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2412 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 2412 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/1736-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-8-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/1736-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/1736-17-0x0000000002390000-0x00000000023B0000-memory.dmp
memory/1736-16-0x0000000001C50000-0x0000000001C70000-memory.dmp
memory/1736-19-0x0000000002390000-0x00000000023B0000-memory.dmp
memory/1736-18-0x0000000001C50000-0x0000000001C70000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:13
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1804s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3716 set thread context of 3076 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3716 wrote to memory of 3076 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3716 wrote to memory of 3076 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3716 wrote to memory of 3076 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3716 wrote to memory of 3076 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
| PID 3716 wrote to memory of 3076 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test3.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3076-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-8-0x0000000000550000-0x0000000000570000-memory.dmp
memory/3076-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-16-0x0000000002290000-0x00000000022B0000-memory.dmp
memory/3076-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3076-22-0x0000000012F30000-0x0000000012F50000-memory.dmp
memory/3076-21-0x0000000012D00000-0x0000000012D20000-memory.dmp
memory/3076-24-0x0000000012F30000-0x0000000012F50000-memory.dmp
memory/3076-23-0x0000000012D00000-0x0000000012D20000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:34
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1799s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1980 set thread context of 3092 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1980 wrote to memory of 3092 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1980 wrote to memory of 3092 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1980 wrote to memory of 3092 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1980 wrote to memory of 3092 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 1980 wrote to memory of 3092 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 124.253.47.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/3092-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-8-0x00000000010A0000-0x00000000010C0000-memory.dmp
memory/3092-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-16-0x00000000013E0000-0x0000000001400000-memory.dmp
memory/3092-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/3092-21-0x00000000137C0000-0x00000000137E0000-memory.dmp
memory/3092-22-0x00000000139F0000-0x0000000013A10000-memory.dmp
memory/3092-23-0x00000000137C0000-0x00000000137E0000-memory.dmp
memory/3092-24-0x00000000139F0000-0x0000000013A10000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:38
Platform
win10ltsc2021-20241023-en
Max time kernel
1799s
Max time network
1803s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 796 set thread context of 4716 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 796 wrote to memory of 4716 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 796 wrote to memory of 4716 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 796 wrote to memory of 4716 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 796 wrote to memory of 4716 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 796 wrote to memory of 4716 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 163.172.154.142:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 142.154.172.163.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4716-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-8-0x0000000002E30000-0x0000000002E50000-memory.dmp
memory/4716-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-16-0x0000000002E50000-0x0000000002E70000-memory.dmp
memory/4716-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4716-21-0x0000000013A70000-0x0000000013A90000-memory.dmp
memory/4716-22-0x0000000013CA0000-0x0000000013CC0000-memory.dmp
memory/4716-23-0x0000000013A70000-0x0000000013A90000-memory.dmp
memory/4716-24-0x0000000013CA0000-0x0000000013CC0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 11:12
Platform
win10ltsc2021-20241023-en
Max time kernel
1800s
Max time network
1795s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2316 set thread context of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2316 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2316 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2316 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2316 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
| PID 2316 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/2400-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-8-0x0000000000DE0000-0x0000000000E00000-memory.dmp
memory/2400-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-16-0x0000000002CD0000-0x0000000002CF0000-memory.dmp
memory/2400-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-20-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/2400-21-0x0000000002CF0000-0x0000000002D10000-memory.dmp
memory/2400-22-0x0000000013A70000-0x0000000013A90000-memory.dmp
memory/2400-23-0x0000000002CF0000-0x0000000002D10000-memory.dmp
memory/2400-24-0x0000000013A70000-0x0000000013A90000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:38
Platform
win10v2004-20241007-en
Max time kernel
1799s
Max time network
1795s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1272 set thread context of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1272 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1272 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1272 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1272 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
| PID 1272 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test5.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.53.154.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4908-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-8-0x0000000002C40000-0x0000000002C60000-memory.dmp
memory/4908-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-16-0x0000000002DE0000-0x0000000002E00000-memory.dmp
memory/4908-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4908-21-0x0000000013890000-0x00000000138B0000-memory.dmp
memory/4908-22-0x0000000013AC0000-0x0000000013AE0000-memory.dmp
memory/4908-23-0x0000000013890000-0x00000000138B0000-memory.dmp
memory/4908-24-0x0000000013AC0000-0x0000000013AE0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-13 10:41
Reported
2024-11-13 12:38
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1796s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4764 set thread context of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4764 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 4764 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 4764 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 4764 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
| PID 4764 wrote to memory of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe | C:\Windows\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe
"C:\Users\Admin\AppData\Local\Temp\Triage\Test4.exe"
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| PL | 54.37.137.114:10300 | xmr-eu1.nanopool.org | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
| US | 104.154.53.10:80 | 104.154.53.10 | tcp |
Files
memory/4212-1-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-3-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-2-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-5-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-8-0x0000000001FE0000-0x0000000002000000-memory.dmp
memory/4212-7-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-9-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-10-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-12-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-13-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-11-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-6-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-4-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-14-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-16-0x00000000126E0000-0x0000000012700000-memory.dmp
memory/4212-17-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-19-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-18-0x0000000140000000-0x0000000140835000-memory.dmp
memory/4212-21-0x0000000012C30000-0x0000000012C50000-memory.dmp
memory/4212-22-0x0000000012E60000-0x0000000012E80000-memory.dmp
memory/4212-23-0x0000000012C30000-0x0000000012C50000-memory.dmp
memory/4212-24-0x0000000012E60000-0x0000000012E80000-memory.dmp